I have not clear understanding of the purpose of the max-age directive in the RFC7469 (Public Key Pinning Extension)
My understanding of RFC7469 and HTTP Public Key Pinning is that every time a client starts an HTTPS transaction with a server, it should compute the pin of the server certificate and verify that it matches one of the pin returned by the server in a previous transaction. If pin does not match, than a man-in-the-middle event may have occurred and connection must be denied.
What is not clear to me is the purpose of "max-age" directive. This is what RFC7469 states:
The "max-age" directive specifies the number of seconds after the reception of the PKP header field during which the UA SHOULD regard the host (from whom the message was received) as a Known Pinned Host.
Does this mean that the client should update a local copy of pins not later than max-age expires?
Max-age tells the client how long the HPKP header is valid for. After max-age expires the HPKP header should be forgotten and ignored. However if you revisit the site during that time you will likely get a new max-age and extend the max-age a little longer.
Certificates have a validity period so it does not make sense to make a HPKP header valid indefinitely. It’s also possible to block access to your site accidentally by updating certificate. So a max-age is necessary.
HPKP has been seen to be dangerous (see my blog post here for some of the reasons), so even with a max-age it’s proven to be too dangerous for most sites and Chrome for one are removing it as an option.