#28: HSTS spec unclear about the denotation of "HSTS policy"
Strict-Transport-Security syntax and effective request URI def [StPeter]
https://www.ietf.org/mail-archive/web/websec/current/msg00476.html
The document is a bit unclear about the denotation of "HSTS policy".
Sometimes it refers to the site's policy and sometimes to the overall
recommendations defined in the spec.
This specification also incorporates notions
from [JacksonBarth2008] in that the HSTS policy is applied on an
"entire-host" basis: it applies to all TCP ports on the host.
Additionally, HSTS policy can be applied to the entire domain name
subtree rooted at a given host name. This enables HSTS to protect
so-called "domain cookies", which are applied to all subdomains of a
given domain.
Perhaps it would be helpful to contrast the all ports and entire subtree
principles with the same origin policy also being worked on in this WG,
with an informational reference to the appropriate spec.
--
-------------------------+-------------------------------------------------
Reporter: | Owner: draft-ietf-websec-strict-transport-
jeff.hodges@… | sec@…
Type: defect | Status: new
Priority: minor | Milestone:
Component: strict- | Version:
transport-sec | Keywords:
Severity: - |
-------------------------+-------------------------------------------------
Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/28>
websec <http://tools.ietf.org/websec/>
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
