AnsweredAssumed Answered

What are "Long duration" defined as in HSTS? What will be required for HPKP?

Question asked by Sebastian Nielsen on Feb 8, 2016
Latest reply on Feb 9, 2016 by Ivan Ristić

I wonder what "Long duration" is defined as (minimum limit) in HSTS?

Will a specific duration be required for HPKP when the current development version is released to the public?


And one suggestion: IF there will be a duration requirement to gain score for HPKP, I think it should allow dynamic durations pinned to the expiration of the certificate, where the definition of "long duration" is defined as: "The definition of HSTS long duration, OR, ((number of seconds left to cert expiry) - 1209600), Whichever is shortest." If shortest duration is 0 due to the site´s certificate is going to expire in the nearest 14 days, HPKP points should be awarded even if HPKP is not deployed.

The 1209600 is the duration of 14 days in seconds, to allow for renewal in plenty of time before the cert actually expires. The reason I selected 14 days, is that most CA's does allow renewal of the certificate within this 14 day time window, without having to revoke the original certificate.


With "dynamic duration", I mean where the server has a stored notation of the certificate expiry, and dynamically sets the expiry of the HPKP header to be the duration that is sufficently near the certificate expiry to allow for example upgrade of keys and such.