On Mon, Aug 26, 2019 at 06:00:07PM +0200, Daniel Margolis wrote:
> I think it's reasonable for someone just deploying a policy to set a
> max_age that's very small--like, a day or less. (They of course should also
> use report-only mode to try to ensure things work during launch, but this
> would be an additional safety measure.)
At the low end, the sending MTA may be burdened with overly frequent
HTTPS policy checks. Implementations might therefore set a floor
on the max_age, and not check more frequently. Any such floor
should be as small as practical, hours not days.
> A max_age above the max results in a non-compliant policy. I guess senders
> should probably treat that like any other syntactically invalid policy (and
> not honor it). Trying to guess what the implementor meant seems like a bad
> idea in the long run.
The only other available option is to truncate larger values to an
acceptable maximum. Implementations are always free to use shorter
values than the max_age in the policy, even when the policy value
is below the RFC limit.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
