On Jan 3, 2012, at 1:29 AM, =JeffH wrote: > Julian wondered.. >> >> wouldn't it make sense to have a default for max-age so it >> can be made OPTIONAL? > > hm ... I lean towards keeping max-age as REQUIRED (without a default value) > and > thus hopefully encouraging deployers to think a bit about this and its > ramifications, and also because its value is so site-specific in terms of a > web > application's needs, deployment approach, and tolerance for downside risk of > breaking itself.
I tend to agree, but it's not deployers who are going to do the thinking - it's the implementers of web servers. So somewhere, in some control panel for IIS, or a config file for Apache, or some WebUI for some SSL-VPN, there's going to be a configuration to turn on HSTS, and that product is going to have a default max-age. The deployers are just going to check the box. I think we should provide guidance for those implementers as to what is a good default there. Yoav _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
