On 11/7/14, 7:04 AM, "Daniel Kahn Gillmor" <[email protected]> wrote:
>On 11/07/2014 01:56 AM, Xiaoyin Liu wrote: >> So I want to propose a update to RFC 6797 to define a new directive >>called >> "infinite" (or something else). When a UA sees this directive, max-age >> should be ignored and HSTS should always be enforced until users clear >>the >> cache or the server sends a valid STS header without "infinite" >>directive. > [...] >> Any comments on this? Thanks! > >The reason this wasn't included in the original spec was because of fear >of creating a "permanent footgun" -- that is, it's possible that the >HSTS header in a domain causes problems for the domain, and having those >problems never expire seems dangerous. Agreed, tho without going back thru all that history, I don't recall our ever discussing having an HSTS Policy that never expires (but whatever). >For example, the administrative overhead for maintaining X.509 certs >from the cartel might be too much for the organization at some point, >and they might want to opt out of it. Or, Certificate Transparency >becomes dominant but fails to avoid full enumeration of X.509 hosts, and >the organization has includeSubdomains set but wants to have some hosts >whose names aren't enumerable publicly. Alternately, the current domain >registrant may decide to transfer the domain to another registrant. >What happens then? > >Perhaps the answers to these concerns are: > >This is OK; the hassle of cert maintenance is not much greater than the >hassle of domain name registration; full zone enumeration can be solved >within an organization by registering a distinct zone in the DNS for the >non-enumerable hosts, and which doesn't have these properties; and we >should be moving to a world where zones are locked into being "secure >traffic only", and the "locked-secure" status of such a domain is one of >the many reputational factors that need to be weighed when considering a >zone transfer. > >What do other folks think? Yes, there's various deployment/operational considerations where one may want/need to signal the Uas to forget about a particular HSTS Policy. =JeffH _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
