Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com

[Andy Steingruebl <steingra@xxxxxxxxx>]

On Tue, Nov 10, 2009 at 1:04 AM, Bil Corry <bil@xxxxxxxxx> wrote:
> Andy Steingruebl wrote on 11/7/2009 9:00 AM:
>> There are a few considerations on this though, especially if a few of
>> the proposed features such as LockCA get added.  In that case you
>> wouldn't necessarily want the max-age to be longer than your existing
>> certificate lifetime, just in case you wanted to change CA's.  For
>> some people they won't worry about that (I don't) but other folks do
>> switch CAs periodically, so that is a concern.
>
> One idea to consider, especially for LockCA[1], is to somehow denote that STS should expire at the same time as the cert, perhaps by omitting max-age or allowing max-age=cert, etc.  This will prevent accidentally causing STS to last longer or shorter than the cert expiration, especially when it's rotated out or revoked.

That is a great proposal.  If you haven't, can you please post it in
response to Gerv's original proposal on the webapps list?

Thanks

-- 
Andy Steingruebl
steingra@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA