RE: STS and lockCA

> Gerv had proposed..
> >
> > We would like to allow sites to partition the CA space so that
compromises
> > and problems in other parts of it don't affect them.
> >
> > I therefore propose a simple extension to the STS standard; a single
token
> > to be appended to the end of the header:
> >
> > lockCA



Adam Barth replies..
> 
> This is an interesting proposal.  

Agreed.


> I think we should resist expanding the scope of the core STS proposal.

Agreed -- this is what we (PayPal) also desire.


>  There are many different kinds of tokens one could imagine adding to
> mitigate different threat models. 

Yes, e.g. EVonly


> Instead of adding them all in v1,
> we should allow / encourage this kind of experimentation by defining a
> forwards-compatible grammar for the STS header.

Agreed, see the thread entitled "more flexible ABNF for STS?"

Since the latter presumably has more-or-less direct implications for
one's parser implementation, it'd be best to specify the ABNF + UA impl
guidance now, it'd seem.

=JeffH

Received on Friday, 2 October 2009 21:55:39 UTC