On Aug 10, 2014, at 2:48 PM, Tobias Gondrom <[email protected]> wrote:
> On 10/08/14 12:40, Yoav Nir wrote: >> On Aug 10, 2014, at 2:28 PM, Tobias Gondrom <[email protected]> >> wrote: >> >>> Thanks. >>> >>> I agree, this is an "update" and not an "errata". >>> >>> However, am not sure how to best retain this information: >>> Because this is a good point for a best practice. >>> And be it only in advising the best practice when using HSTS, like >>> simply including one link to the parent https://example.com to avoid >>> having unprotected parent-domains. >> Well, if we could talk Eric into writing a draft… >> > > In theory we/he could do an RFC6797bis for this. > And as the change is only small, the review period should also be possible to > keep contained. > > On the other hand, personally, I am not sure a new RFC would really be > necessary, because it seems to me that with proper best practices (declare > HSTS Policy at their top-level domain + frequently include the top-level, to > make sure it's HSTS is still renewed) this can be solved and there would be > no change on the wire. So we get an Informational draft called “best practices in using HSTS”. 2 pages long unless we rathole and add lots of stuff.
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
