Tobias replied:
>
> I replied:
>
>> Tobias wrote
>>
>> > Look at it in reverse order:
>> > 1. We visit https://sub.example.com and receive HSTS with
>> > max-age=1234567890
>> > 2. We visit https://example.com and receive HSTS with max-age=0 ;
>> > includeSubdomains
>> >
>> > as far as I remember that would actually clear HSTS for
>> > sub.example.com?
>>
>> No, it would not do so. As Adam said, the user agent maintains a list
>> of distinct host names which have issued the HSTS Policy (aka STS
>> header field).
>>
>> The above scenario would result in no entry for example.com, and an
>> entry for sub.example.com
>
> Fine by me. Am just wondering on whether this is unambiguous enough from
> the draft?
> Do we need to be more clear on that? Or did I miss a clarifying point on
> that somewhere in the draft?
well, there's also the normative text about this in Section 8.1
"Strict-Transport-Security Response Header Field Processing". But there's no
forward reference to it from S 6.1.x.
I'll try to fix that, see below.
> Specifically my confusion came when reading 6.1.1 and 6.1.2 and trying
> to apply them as:
>
> first 6.1.1.: "A max-age value of zero (i.e., "max-age=0") signals the UA to
> cease regarding the host as a Known HSTS Host."
> and then the next sentence in 6.1.2. "..."includeSubDomains" directive
> is a valueless flag which,
> if present, signals to the UA that the HSTS Policy applies to this
> HSTS Host as well as any subdomains"
>
> Could that be misread as "0" means cease HSTS and then
> "includeSubDomains" extends that meaning to all subdomains?
no, that's not how it's supposed to work, but like I said above, the normative
text is in section 8.1.
So, I've made some updates in my -13 working copy to try to polish this out a
bit...
###
6.1.1. The max-age Directive
The REQUIRED "max-age" directive specifies the number of seconds,
after the reception of the STS header field, during which the UA
regards the host (from whom the message was received) as a Known HSTS
Host. ...
NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to
cease regarding the host as a Known HSTS Host, including the
includeSubDomains flag (if set for that HSTS Host). See also
Section 8.1 "Strict-Transport-Security Response Header Field
Processing".
...
8.1. Strict-Transport-Security Response Header Field Processing
...
The max-age value is essentially a "time to live" value relative
to the reception time of the STS header field.
If the max-age header field value token has a value of zero, the
UA MUST remove its cached HSTS Policy information (including the
includeSubDomains flag if set) if the HSTS Host is known, or, MUST
NOT note this HSTS Host if it is not yet known.
...
###
note the now-explicit mention of treatment of the includeSubDomains flag in the
above excerpts.
Does that help clarify things ?
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
