On Sat, May 23, 2020 at 8:27 PM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> On Sat, May 23, 2020 at 09:07:06PM +0200, A. Schulze wrote: > > > I asked a similar question last year: > > https://mailarchive.ietf.org/arch/msg/uta/bnUjy9jxM_Va-lDXVtbB32zIkYI/ > > Currently I use ~ 3 days as "max-age" and receive reports from google > > that don't let me think they have any problem with my setting. > > Keep in mind that I expect implementations of MTA-STS to not refresh > refresh policy caches pre-expiration in the *absence of traffic to the > destination domain. So if any domain hosts users who in aggregate > correspond with you less often than every 3 days, MTA-STS is completely > ineffective at protecting that traffic against MiTM downgrades. > > Thus, my take is that MTA-STS policies with a max_age less than ~30 days > are potentially ineffective, and perhaps not worth the bother. > Sure, for production use. The issue I am seeing is this: New users are experimenting with MTA-STS and wish to use a small policy duration until they're confident in their configuration. They use values in hours and don't get any reports. Perhaps there's a case for specifying a minimum acceptable policy duration in RFC errata or something? -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > -- Ivan
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
