<hat="individual">
Jeff,
thanks a lot for the clarification.
On 21/08/12 19:53, =JeffH wrote:
Tobias wrote:
>
> Would agree with Adam.
agreed -- what Adam relates is how the spec and the implementations
have worked for ages.
> And for Brian, I think there is actually one more use case that you
> haven't considered:
> Look at it in reverse order:
> 1. We visit https://sub.example.com and receive HSTS with
max-age=1234567890
> 2. We visit https://example.com and receive HSTS with max-age=0 ;
> includeSubdomains
>
> as far as I remember that would actually clear HSTS for
sub.example.com?
No, it would not do so. As Adam said, the user agent maintains a list
of distinct host names which have issued the HSTS Policy (aka STS
header field).
The above scenario would result in no entry for example.com, and an
entry for sub.example.com
Fine by me. Am just wondering on whether this is unambiguous enough from
the draft?
Do we need to be more clear on that? Or did I miss a clarifying point on
that somewhere in the draft?
Specifically my confusion came when reading 6.1.1 and 6.1.2 and trying
to apply them as:
first 6.1.1.: "A max-age value of zero (i.e., "max-age=0") signals the UA to
cease regarding the host as a Known HSTS Host."
and then the next sentence in 6.1.2. "..."includeSubDomains" directive
is a valueless flag which,
if present, signals to the UA that the HSTS Policy applies to this
HSTS Host as well as any subdomains"
Could that be misread as "0" means cease HSTS and then
"includeSubDomains" extends that meaning to all subdomains?
Just my 5cents,
Tobias
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
