Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

=JeffH <Jeff.Hodges@KingsMountain.com> Sat, 15 September 2012 00:16 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F0621F857A for <websec@ietfa.amsl.com>; Fri, 14 Sep 2012 17:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.643
X-Spam-Level:
X-Spam-Status: No, score=-101.643 tagged_above=-999 required=5 tests=[AWL=0.622, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUY7lGVz5fLJ for <websec@ietfa.amsl.com>; Fri, 14 Sep 2012 17:16:32 -0700 (PDT)
Received: from oproxy8-pub.bluehost.com (oproxy8-pub.bluehost.com [69.89.22.20]) by ietfa.amsl.com (Postfix) with SMTP id 733FD21F8570 for <websec@ietf.org>; Fri, 14 Sep 2012 17:16:32 -0700 (PDT)
Received: (qmail 32191 invoked by uid 0); 15 Sep 2012 00:16:09 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy8.bluehost.com with SMTP; 15 Sep 2012 00:16:09 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=QHZBWn282+4fxj+txDkPgz9SQjKsT7qIDITOP99tTjw=; b=Om6BsnpRp2k+0Da9WycfSz5Q8cXhsH4tAyukTIeD3VgjAsMGtnXIUUP7sguq+C4rYnYUGXU6xKvDdq32asI6S8j6PMIfb5eY7pvavIv4noV2TqrWW+PXrp59FTGB3plZ;
Received: from [24.4.122.173] (port=47594 helo=[192.168.11.12]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1TCg3N-0007da-Hi; Fri, 14 Sep 2012 18:16:09 -0600
Message-ID: <5053C8C6.70808@KingsMountain.com>
Date: Fri, 14 Sep 2012 17:16:06 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Brian Smith <bsmith@mozilla.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Sep 2012 00:16:33 -0000

I'd replied..
>
> Brian Smith added..
>>
>> Tobias Gondrom wrote:
>>> Actually, the proposed text does not clarify it at all in my
>>> understanding. Maybe I did not make my point clear enough: the case in
>>> question is: does HSTS with max-age=0 and includeSubDomains mean you
>>> remove the HSTS flag (entry) for the subDomains as well (i.e. is this
>>> equivalent to receiving HSTS headers with max-age=0 for all subdomains)?
>>> You said "no" and that would be ok for me, but from the text you proposed
>>> this would still not be clear to me.
>>>
>>> Do you see what I mean?
>>
>> I agree that the proposed change doesn't really make things less
>> confusing.
>
> Perhaps you could suggest mods to -12 that would help clarify it from your
> perspective?

I re-wrote Section 5 "HSTS Mechanism Overview" to try to clarify this, in rev 
-13.  Please take a look. thx.


>> My understanding (based on this discussion) is that an HSTS header can
>> only modify the HSTS information for the same host that the HSTS header
>> was received on.
>
> correct.
>
>> This means that the client should not modify any information for
>> sub.example.org based on information it receives from example.org,
>
> correct.
>
>> and it should not modify any information for example.org based on
>> information it receives from sub.example.org.
>
> correct.
>
>
>> When making a connection to a host, the client reads the entry for the
>> given host, and for all parent domains that have includeSubdomains in their
>> HSTS entries.
>
> essentially correct.  Rather, the UA examines any superdomain host (aka
> parent domain hosts) entries it may have and if any of them have
> includeSubdomains asserted, then HSTS Policy applies to the given host;
> otherwise HSTS Policy applies to the given host if it is a Known HSTS Host to
> that UA. Step 5 in Section 8.3.
>
>
>> After receiving an HSTS header from a given host, the client updates the
>> entry for the given host only.
>
> correct.
>
>> When receiving an HSTS header and updating the database, the client should
>> never traverse the parent/child domain hierarchy.
>
> correct.