On 10/08/14 12:40, Yoav Nir wrote: > On Aug 10, 2014, at 2:28 PM, Tobias Gondrom <[email protected]> > wrote: > >> Thanks. >> >> I agree, this is an "update" and not an "errata". >> >> However, am not sure how to best retain this information: >> Because this is a good point for a best practice. >> And be it only in advising the best practice when using HSTS, like >> simply including one link to the parent https://example.com to avoid >> having unprotected parent-domains. > Well, if we could talk Eric into writing a draft… >
In theory we/he could do an RFC6797bis for this. And as the change is only small, the review period should also be possible to keep contained. On the other hand, personally, I am not sure a new RFC would really be necessary, because it seems to me that with proper best practices (declare HSTS Policy at their top-level domain + frequently include the top-level, to make sure it's HSTS is still renewed) this can be solved and there would be no change on the wire. Best regards, Tobias
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
