aeris22’s avataraeris22’s Twitter Archive—№ 38,663

          1. …in reply to @CubicleApril
            @aprilmpls @jvehent Sure. But you can’t garanty your visitors are fresh enough to support a change of key. You have to wait at least max-age
            Permalink On twitter.com Twitter logo aeris22’s avatar Mood +3 🙂
        1. …in reply to @aeris22
          @aprilmpls @jvehent between last planned change in case of (unplanned) compromission.
          Permalink On twitter.com Twitter logo aeris22’s avatar Mood 0
      1. …in reply to @aeris22
        @aprilmpls @jvehent (Or more generally, N max-age if you publish N backup keys on your HPKP, assuming all backups are safe)
        Permalink On twitter.com Twitter logo aeris22’s avatar Mood +1 🙂
    1. …in reply to @aeris22
      @aprilmpls @jvehent Best/worst example is @letsencrypt. With default config (key renew each 90d), If you set HPKP to 60d and you are […]
      Permalink On twitter.com Twitter logo aeris22’s avatar Mood 0
  1. …in reply to @aeris22
    @aprilmpls @jvehent @letsencrypt compromised between 0 to 60 days after a key renew you CAN’T change your key without breaking some visitors
    On twitter.com Twitter logo aeris22’s avatar Mood 0
    1. …in reply to @aeris22
      @aprilmpls @jvehent @letsencrypt (The example is in practice worst because you can’t guess your future key so no backup possible […]
      Permalink On twitter.com Twitter logo aeris22’s avatar Mood -4 🙁
      1. …in reply to @aeris22
        @aprilmpls @jvehent and so default @letsencrypt configuration is incompatible with HPKP)
        Permalink On twitter.com Twitter logo aeris22’s avatar Mood 0