Hi, >> 2) Section 3.3 - We write SHOULD for HSTS. We could think about a MUST - >> it seems to be better supported by clients now, is relatively easily >> enabled, and its existence ought not harm any clients that do not >> understand it. I don't have strong feelings about it, though. > > I assume you're talking about a MUST implement, not MUST deploy?
Yes, at the minimum. The MUST for implement would only mean that additional HTTP headers must be supported by Web server software. I think all popular implementations do that? The MUST for deploy would mean adding the header to the configuration. I am slightly in favour of that, but site operators might be afraid of what happens in case something goes wrong in their SSL config and no-one can access the site. Then again, it would be a real incentive to deploy SSL correctly from the start and take care the site actually works. Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
