#8: clarify/explain behavior when STS header not returned by known HSTS Host
http://www.ietf.org/mail-archive/web/websec/current/msg00045.html Subject: Re: [websec] Some questions about HSTS From: "Steingruebl, Andy" <[email protected]> Date: Mon, 22 Nov 2010 09:57:21 -0700 (08:57 PST) To: Yoav Nir <[email protected]>, "'[email protected]'" <[email protected]> <snip/> > My second question regards the UA behavior when policy changes. Suppose > a website has had the HSTS header for a while. The UA has a cache entry with > a TTL of several more weeks. Now the UA connects to the server (over > HTTPS) and does not get an HSTS header at all. What now? If there was a > header and it was merely changed, the spec says to update the cache entry. > But if the header is missing altogether, does that mean that the UA should > delete the cache entry? I think we can make this clear, but until the client receives a new header, it does not tinker with the cache. We do say the header should be present in all /most server responses, but the behavior should be that the value persists until set to something else. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/8> websec <http://tools.ietf.org/websec/> _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
