[I'm not subscribed to the websec working group so please copy me when replying.]
I don't know how to read section 11.3 of RFC 6797. It says "If all four of the following conditions are true... [self-signed certificates...] ...then secure connections to that site will fail, per the HSTS design." It seems to imply that adding a Strict-Transport-Security: header to a site which has a self-signed certificate is an error. But section 8.1 says that the Strict-Transport-Security: will be ignored if the HTTPS session is not secured (for instance because the client uses a self-signed cert, section 8.1 says the header will be accepted only "if there are no underlying secure transport errors or warnings"). So, it seems that adding Strict-Transport-Security: is useless (they will be ignored, per section 8.1) but not an error. I checked with the Chromium browser "Version 20.0.1132.47 Ubuntu 12.04 (144678)" and a HTTPS site signed by CAcert.org (unknown CA for most browsers) and, indeed, Chromium ignores the HSTS header and accepts to use HTTP. Once CAcert.org cert is added, Chromium accepts the HSTS header and uses only HTTPS. So, it seems the Chromium programmers decided to ignore section 11.3? _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
