I agree. Preload is probably the easiest way to go. And the use case of transfer of domain ownership can not be ignored.
Not sure whether preload really needs further standardization, after all there are only a few browser implementations out there. However, if you think that is needed, feel free to drop me a message and we can write up a quick ID and publish it as individual ID. Best regards, Tobias -----Original Message----- From: websec <[email protected]> On Behalf Of Anne van Kesteren Sent: Tuesday, May 8, 2018 9:48 AM To: Yoav Nir <[email protected]> Cc: Robert Linder <[email protected]>; [email protected] Subject: Re: [websec] Regarding RFC 6797 On Mon, May 7, 2018 at 9:54 PM, Yoav Nir <[email protected]> wrote: > Immutable meaning that the HSTS header is permanent and can never be > removed? So if a user agent has seen an immutable HSTS header once, > that site has to be (valid) HTTPS-only forever? > > Interesting idea. FWIW, if anything, it should be about standardizing https://hstspreload.org/. That's already the widely adopted practice to mostly-immutable HSTS. (Not quite sure truly-immutable is feasible, other than using a TLD that has HSTS as policy. And even then TLDs get reassigned or disappear at times...) -- https://annevankesteren.nl/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
