[websec] Question regarding RFC 6797
Claudio Saavedra <csaavedra@igalia.com> Mon, 28 May 2018 08:20 UTC
Return-Path: <csaavedra@igalia.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 747C3127342 for <websec@ietfa.amsl.com>; Mon, 28 May 2018 01:20:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=igalia.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6Hi18-o-Td1 for <websec@ietfa.amsl.com>; Mon, 28 May 2018 01:20:20 -0700 (PDT)
Received: from fanzine.igalia.com (fanzine.igalia.com [91.117.99.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37565127333 for <websec@ietf.org>; Mon, 28 May 2018 01:20:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:Mime-Version:Content-Type:Date:To:From:Subject:Message-ID; bh=IFKRsZFCWzQbJA/Ay9OPQ899TQgMzO9M39W98CW6Hiw=; b=bgCqiT9hC+2LYM8gpYNBSJikN6hd3+2/ECCpNtqXg2BqTyorjujBlTBM3ukXMkHmEYb4wx1tKOWJQ0JmTl2t7o8mbjL1SdkwlG2FyxppUkBrEau6KlJXrYX3HMeHJpHmwBIovQhyO6xALlPJF/qJbch5MRxWcYY2QGMhPh+nEdn5zSgEWkuASMPs9Gfs87JRaV34l3VFHL/qxQtP73Wj55GVq99MCQDRDNxvUjEjk//gLGDQDyyIUQYQJhp1JjUU1opV45Uv20JxdhUZTcGg6V/nd9fSh90rV1rFzSxSSR8U1zhAVm4ok8Oo2f3tmrR6xAbmDMFvaJY0+FEGTFX6tQ==;
Received: from 82-181-106-252.bb.dnainternet.fi ([82.181.106.252] helo=patanjali) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1fNDO2-00011A-Pp for <websec@ietf.org>; Mon, 28 May 2018 10:20:15 +0200
Message-ID: <c725c551413c03e1aedbe4a562758853eaaf6be0.camel@igalia.com>
From: Claudio Saavedra <csaavedra@igalia.com>
To: websec@ietf.org
Date: Mon, 28 May 2018 11:20:02 +0300
Organization: Igalia
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.2-1
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/CaFpC25vfNXlMRe_kMyqdImjn38>
Subject: [websec] Question regarding RFC 6797
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 May 2018 08:20:23 -0000
Hi, I am currently implementing HSTS support for libsoup and there is one point that I find confusing and I would appreciate your comments. Section 8.1 states: Update the UA's cached information for the Known HSTS Host if either or both of the max-age and includeSubDomains header field value tokens are conveying information different than that already maintained by the UA. The way I understand this is that if a HSTS host keeps sending the same values to a conforming client, this should not update the information cached and hence the cached information will expire after max-age seconds have passed since the _first_reception_ of this header. However, section 11.2 states: The "constant value into the future" approach can be accomplished by constantly sending the same max-age value to UAs. For example, a max-age value of 7776000 seconds is 90 days: Strict-Transport-Security: max-age=7776000 Note that each receipt of this header by a UA will require the UA to update its notion of when it must delete its knowledge of this Known HSTS Host. This seems to contradict what I quoted from section 8.1. If the server constantly sends a max-age of 7776000 and includeSubDomains is not changed (which is implicit in the example), then by 8.1 the cache information won't be updated. Would you mind clarifying this? Best regards, Claudio
- [websec] Question regarding RFC 6797 Claudio Saavedra
- Re: [websec] Question regarding RFC 6797 Anne van Kesteren
- Re: [websec] Question regarding RFC 6797 Claudio Saavedra
- Re: [websec] Question regarding RFC 6797 Anne van Kesteren
- Re: [websec] Question regarding RFC 6797 Claudio Saavedra
- Re: [websec] Question regarding RFC 6797 Claudio Saavedra
- Re: [websec] Question regarding RFC 6797 Anne van Kesteren