On 21/08/12 20:46, =JeffH wrote:
Tobias replied:
>
> I replied:
>
>> Tobias wrote
>>
>> > Look at it in reverse order:
>> > 1. We visit https://sub.example.com and receive HSTS with
>> > max-age=1234567890
>> > 2. We visit https://example.com and receive HSTS with max-age=0 ;
>> > includeSubdomains
>> >
>> > as far as I remember that would actually clear HSTS for
>> > sub.example.com?
>>
>> No, it would not do so. As Adam said, the user agent maintains a list
>> of distinct host names which have issued the HSTS Policy (aka STS
>> header field).
>>
>> The above scenario would result in no entry for example.com, and an
>> entry for sub.example.com
>
> Fine by me. Am just wondering on whether this is unambiguous enough
from
> the draft?
> Do we need to be more clear on that? Or did I miss a clarifying
point on
> that somewhere in the draft?
well, there's also the normative text about this in Section 8.1
"Strict-Transport-Security Response Header Field Processing". But
there's no forward reference to it from S 6.1.x.
I'll try to fix that, see below.
<hat="individual">
well, I read section 8.1 before, too. Actually I re-read the whole ID in
search of a sentence making a statement about how to handle this
particular case above, but couldn't find any. So I don't think this is
about forward reference. The question is, is it specified somewhere in
the ID already and I just missed it (in which case it may be ok to just
leave everything as is) or is it not specified in the draft, yet? (in
which case it would make sense to add something, whether in section 8 or
6 - with or without forward reference...)
> Specifically my confusion came when reading 6.1.1 and 6.1.2 and trying
> to apply them as:
>
> first 6.1.1.: "A max-age value of zero (i.e., "max-age=0") signals
the UA to
> cease regarding the host as a Known HSTS Host."
> and then the next sentence in 6.1.2. "..."includeSubDomains" directive
> is a valueless flag which,
> if present, signals to the UA that the HSTS Policy applies to this
> HSTS Host as well as any subdomains"
>
> Could that be misread as "0" means cease HSTS and then
> "includeSubDomains" extends that meaning to all subdomains?
no, that's not how it's supposed to work, but like I said above, the
normative text is in section 8.1.
Didn't find that information on how to handle this particular case in
section 8.1. Could you maybe point me to the paragraph or copy&paste on
max-age=0 and includeSubDomain, in case I am ignorant/blind/stupid/can't
find it....
So, I've made some updates in my -13 working copy to try to polish
this out a bit...
###
6.1.1. The max-age Directive
The REQUIRED "max-age" directive specifies the number of seconds,
after the reception of the STS header field, during which the UA
regards the host (from whom the message was received) as a Known HSTS
Host. ...
NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to
cease regarding the host as a Known HSTS Host, including the
includeSubDomains flag (if set for that HSTS Host). See also
Section 8.1 "Strict-Transport-Security Response Header Field
Processing".
...
8.1. Strict-Transport-Security Response Header Field Processing
...
The max-age value is essentially a "time to live" value relative
to the reception time of the STS header field.
If the max-age header field value token has a value of zero, the
UA MUST remove its cached HSTS Policy information (including the
includeSubDomains flag if set) if the HSTS Host is known, or, MUST
NOT note this HSTS Host if it is not yet known.
...
###
note the now-explicit mention of treatment of the includeSubDomains
flag in the above excerpts.
Does that help clarify things ?
Actually, the proposed text does not clarify it at all in my understanding.
Maybe I did not make my point clear enough:
the case in question is: does HSTS with max-age=0 and includeSubDomains
mean you remove the HSTS flag (entry) for the subDomains as well (i.e.
is this equivalent to receiving HSTS headers with max-age=0 for all
subdomains)? You said "no" and that would be ok for me, but from the
text you proposed this would still not be clear to me.
Do you see what I mean?
Tobias
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
