Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

Fri, 14 Sep 2012 17:16:36 -0700 

I'd replied..


Brian Smith added..


Tobias Gondrom wrote:

Actually, the proposed text does not clarify it at all in my
understanding. Maybe I did not make my point clear enough: the case in
question is: does HSTS with max-age=0 and includeSubDomains mean you
remove the HSTS flag (entry) for the subDomains as well (i.e. is this
equivalent to receiving HSTS headers with max-age=0 for all subdomains)?
You said "no" and that would be ok for me, but from the text you proposed
this would still not be clear to me.

Do you see what I mean?


I agree that the proposed change doesn't really make things less
confusing.


Perhaps you could suggest mods to -12 that would help clarify it from your
perspective?



I re-wrote Section 5 "HSTS Mechanism Overview" to try to clarify this, in rev 
-13.  Please take a look. thx.




My understanding (based on this discussion) is that an HSTS header can
only modify the HSTS information for the same host that the HSTS header
was received on.


correct.


This means that the client should not modify any information for
sub.example.org based on information it receives from example.org,


correct.


and it should not modify any information for example.org based on
information it receives from sub.example.org.


correct.



When making a connection to a host, the client reads the entry for the
given host, and for all parent domains that have includeSubdomains in their
HSTS entries.


essentially correct.  Rather, the UA examines any superdomain host (aka
parent domain hosts) entries it may have and if any of them have
includeSubdomains asserted, then HSTS Policy applies to the given host;
otherwise HSTS Policy applies to the given host if it is a Known HSTS Host to
that UA. Step 5 in Section 8.3.



After receiving an HSTS header from a given host, the client updates the
entry for the given host only.


correct.


When receiving an HSTS header and updating the database, the client should
never traverse the parent/child domain hierarchy.


correct.


_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec























					Reply via email to