[websec] HSTS: max-age=0 interacting with includeSubdomains

David Keeler <dkeeler@mozilla.com> Mon, 13 August 2012 22:16 UTC

Return-Path: <dkeeler@mozilla.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D05A321F8699 for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 15:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nsMNfJGXJEqs for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 15:16:57 -0700 (PDT)
Received: from smtp.mozilla.org (mx1.corp.phx1.mozilla.com [63.245.216.69]) by ietfa.amsl.com (Postfix) with ESMTP id 0B6F721F8697 for <websec@ietf.org>; Mon, 13 Aug 2012 15:16:57 -0700 (PDT)
Received: from [10.250.4.221] (corp-240.mv.mozilla.com [63.245.220.240]) (Authenticated sender: dkeeler@mozilla.com) by mx1.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id C3419F2561 for <websec@ietf.org>; Mon, 13 Aug 2012 15:16:56 -0700 (PDT)
Message-ID: <50297CA6.6080506@mozilla.com>
Date: Mon, 13 Aug 2012 15:16:06 -0700
From: David Keeler <dkeeler@mozilla.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120725 Thunderbird/14.0
MIME-Version: 1.0
To: websec@ietf.org
X-Enigmail-Version: 1.5a1pre
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2012 22:18:22 -0000

Hello,

The current HSTS spec draft says "A max-age value of zero (i.e.,
"max-age=0") signals the UA to cease regarding the host as a Known HSTS
Host." (section 6.1.1) How does this interact with the includeSubdomains
directive?
For instance, if the UA receives an HSTS header with includeSubdomains
from example.com but then receives an HSTS header with max-age=0 from
sub.example.com, is sub.example.com to be noted as an HSTS host?
Either way, I believe the language of the spec could be a bit more clear.

Cheers,
David Keeler