On Wed, Apr 18, 2018 at 4:56 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > > > On Apr 18, 2018, at 4:52 PM, Richard Barnes <r...@ipv.sx> wrote: > > > > Secondary point. Still don't think we should deliberately include > undefined fields, e.g., because part of the discussion is whether 16 bits > is the right size. > > 16 bits is clearly enough. If the units are hours that gets you ~7.5 > years. Pinning for less than an hour is pointless, it then becomes smaller > than typical DNS TTLs for the TLSA RRset the client got previously, which > it can cache without any pinning. > > Pinning for more than 7.5 years is absurd, it only protect clients that > connect less than twice per decade... > 640k should be enough for anyone. `preload`? `includeSubdomains`? Experience with HSTS and HPKP shows you need more than an integer. --Richard > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
