Discussed to try to get Brad on the phone for next call or a future call.

Link: http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

Next logical step seems to be to write a spec -- i.e.,

• Explainer (cribbed from Brad's doc)
• ALPN token
• patch to upgrade-insecure-requests
• patch to MIX
• others?

However, Brad has indicated he doesn't have much time to work on it in the near future.

/cc @ericlaw1979

https://mikewest.github.io/hsts-priming/ is another approach that we're looking into.

Discussed at Melbourne face-to-face, morning of January 14. (See minutes for details.)

Discussed at london f2f day 3; @mnot to follow up at IETF next week and come back to the group with more detailed status and action plan.

Discussed 2016-04-13, will continue to monitor

@mikewest @hillbrad (I'd add Richard Barnes if I remembered his github account)

So the TAG discussed this in our meeting today. We're not sure how useful it is to keep this issue open since there doesn't seem to be a lot for us to review right now, and the real experts in this area seem to be in webappsec and other groups rather than in the TAG. However, we'd be excited to see progress in this area. If there's any feedback or support you'd like from us we'd be happy for you to open an additional TAG issue or contact us in other ways.

I think for the moment the browser community is experimenting with HSTS Priming as a lighter weight approach to the issue.

https://wicg.github.io/hsts-priming/

We'll see how things evolve.