Here's an interesting & relevant draft paper by Lucas Garron (and Andrew
Bortz & Dan Boneh)..
The State of HSTS Deployment: A Survey and Common Pitfalls
https://garron.net/crypto/hsts/hsts-2013.pdf
Note that "S 8.5 Securing https://example.com from a subdomain" is
essentially the issue that Eric Lawrence recently filed against RFC6797 HSTS.
The paper is worth a read, and the scan code is here..
https://github.com/lgarron/HSTS/tree/scan
..see also the discussion in this thread on <[email protected]>..
State of HSTS in on the Web (2013)
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Ibdf-x_uqEs
HTH,
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
