0

I have not clear understanding of the purpose of the max-age directive in the RFC7469 (Public Key Pinning Extension)

My understanding of RFC7469 and HTTP Public Key Pinning is that every time a client starts an HTTPS transaction with a server, it should compute the pin of the server certificate and verify that it matches one of the pin returned by the server in a previous transaction. If pin does not match, than a man-in-the-middle event may have occurred and connection must be denied.

What is not clear to me is the purpose of "max-age" directive. This is what RFC7469 states:

The "max-age" directive specifies the number of seconds after the reception of the PKP header field during which the UA SHOULD regard the host (from whom the message was received) as a Known Pinned Host.

Does this mean that the client should update a local copy of pins not later than max-age expires?

mpalmier73
  • 27
  • 4

1 Answers1

0

Max-age tells the client how long the HPKP header is valid for. After max-age expires the HPKP header should be forgotten and ignored. However if you revisit the site during that time you will likely get a new max-age and extend the max-age a little longer.

Certificates have a validity period so it does not make sense to make a HPKP header valid indefinitely. It’s also possible to block access to your site accidentally by updating certificate. So a max-age is necessary.

HPKP has been seen to be dangerous (see my blog post here for some of the reasons), so even with a max-age it’s proven to be too dangerous for most sites and Chrome for one are removing it as an option.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92