Hi David and Adam,
that was my understanding from the draft so far, too. See section 6.1.2
first paragraph.
Having said that, David may be right and we could be more explicit about
that max-age=0 and includeSubDomains does not ref up in the tree. (for
example by adding one more example).
It was clear to me from the text, but well I can be too deep in things
from time to time and take things for granted. Any other opinions on this?
Best, Tobias
On 13/08/12 23:29, Adam Barth wrote:
The way the implementation in Chrome works is that max-age=0 only
clears the entry for that particular host name. If there's another
shorter host name with includeSubdomains, that isn't affected.
Adam
On Mon, Aug 13, 2012 at 3:16 PM, David Keeler <[email protected]> wrote:
Hello,
The current HSTS spec draft says "A max-age value of zero (i.e.,
"max-age=0") signals the UA to cease regarding the host as a Known HSTS
Host." (section 6.1.1) How does this interact with the includeSubdomains
directive?
For instance, if the UA receives an HSTS header with includeSubdomains
from example.com but then receives an HSTS header with max-age=0 from
sub.example.com, is sub.example.com to be noted as an HSTS host?
Either way, I believe the language of the spec could be a bit more clear.
Cheers,
David Keeler
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
