On 2012-01-03 07:26, Yoav Nir wrote:
On Jan 3, 2012, at 1:29 AM, =JeffH wrote:
Julian wondered..
wouldn't it make sense to have a default for max-age so it
can be made OPTIONAL?
hm ... I lean towards keeping max-age as REQUIRED (without a default value) and
thus hopefully encouraging deployers to think a bit about this and its
ramifications, and also because its value is so site-specific in terms of a web
application's needs, deployment approach, and tolerance for downside risk of
breaking itself.
I tend to agree, but it's not deployers who are going to do the thinking - it's
the implementers of web servers.
So somewhere, in some control panel for IIS, or a config file for Apache, or
some WebUI for some SSL-VPN, there's going to be a configuration to turn on
HSTS, and that product is going to have a default max-age. The deployers are
just going to check the box.
I think we should provide guidance for those implementers as to what is a good
default there.
...
If we know a good default then it should be the default on the wire
(IMHO). It would help getting predictable behavior when it's missing.
(Right now the spec allows recipients to do anything they want then it's
missing, right?)
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
