Brian Smith added..
>
> Tobias Gondrom wrote:
>> Actually, the proposed text does not clarify it at all in my
>> understanding. Maybe I did not make my point clear enough: the case in
>> question is: does HSTS with max-age=0 and includeSubDomains mean you remove
>> the HSTS flag (entry) for the subDomains as well (i.e. is this equivalent
>> to receiving HSTS headers with max-age=0 for all subdomains)? You said "no"
>> and that would be ok for me, but from the text you proposed this would
>> still not be clear to me.
>>
>> Do you see what I mean?
>
> I agree that the proposed change doesn't really make things less confusing.
Perhaps you could suggest mods to -12 that would help clarify it from your
perspective?
> My understanding (based on this discussion) is that an HSTS header can only
> modify the HSTS information for the same host that the HSTS header was
> received on.
correct.
> This means that the client should not modify any information for
> sub.example.org based on information it receives from example.org,
correct.
> and it
> should not modify any information for example.org based on information it
> receives from sub.example.org.
correct.
> When making a connection to a host, the client reads the entry for the given
> host, and for all parent domains that have includeSubdomains in their HSTS
> entries.
essentially correct. Rather, the UA examines any superdomain host (aka parent
domain hosts) entries it may have and if any of them have includeSubdomains
asserted, then HSTS Policy applies to the given host; otherwise HSTS Policy
applies to the given host if it is a Known HSTS Host to that UA. Step 5 in
Section 8.3.
> After receiving an HSTS header from a given host, the client updates the
> entry for the given host only.
correct.
> When receiving an HSTS header and updating the
> database, the client should never traverse the parent/child domain
> hierarchy.
correct.
HTH,
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
