> On Apr 4, 2018, at 10:07 PM, Martin Thomson <martin.thom...@gmail.com> wrote:
>
> Given what we've learned about pinning (it is being removed from
> browsers), this seems like a bad plan to me.
Question, are you thinking of HPKP or STS? HPKP pins rather volatile
data, and is too fragile to be used (something I would have predicted
without even running the experiment). STS and this proposal pin a
capability:
* STS: I can be relied on to support TLS
* option (B): I can be relied on to support the TLS extension
for the specified itme (or not when the TTL is 0).
So I rather that the unsurprising failure of HPKP is the wrong lesson
to apply. STS seems successful enough, indeed in the UTA working
group Google, Microsoft, Yahoo et. al. are standardizing an STS for
SMTP (as a work-around for lack of DNSSEC in their domains) and this
pins an STS policy for timescales comparable to the proposal here.
The UTA STS draft has just cleared WG last call, Should I expect that the
folks in this WG opposing the pin for the DANE chain extension are strongly
opposed to SMTP STS and will argue against it in IETF last call and if
IESG members in IESG review?
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
