[websec] HSTS: max-age=0 interacting with includeSubdomains
David Keeler <dkeeler@mozilla.com> Mon, 13 August 2012 22:16 UTC
Return-Path: <dkeeler@mozilla.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D05A321F8699 for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 15:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nsMNfJGXJEqs for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 15:16:57 -0700 (PDT)
Received: from smtp.mozilla.org (mx1.corp.phx1.mozilla.com [63.245.216.69]) by ietfa.amsl.com (Postfix) with ESMTP id 0B6F721F8697 for <websec@ietf.org>; Mon, 13 Aug 2012 15:16:57 -0700 (PDT)
Received: from [10.250.4.221] (corp-240.mv.mozilla.com [63.245.220.240]) (Authenticated sender: dkeeler@mozilla.com) by mx1.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id C3419F2561 for <websec@ietf.org>; Mon, 13 Aug 2012 15:16:56 -0700 (PDT)
Message-ID: <50297CA6.6080506@mozilla.com>
Date: Mon, 13 Aug 2012 15:16:06 -0700
From: David Keeler <dkeeler@mozilla.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120725 Thunderbird/14.0
MIME-Version: 1.0
To: websec@ietf.org
X-Enigmail-Version: 1.5a1pre
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2012 22:18:22 -0000
Hello, The current HSTS spec draft says "A max-age value of zero (i.e., "max-age=0") signals the UA to cease regarding the host as a Known HSTS Host." (section 6.1.1) How does this interact with the includeSubdomains directive? For instance, if the UA receives an HSTS header with includeSubdomains from example.com but then receives an HSTS header with max-age=0 from sub.example.com, is sub.example.com to be noted as an HSTS host? Either way, I believe the language of the spec could be a bit more clear. Cheers, David Keeler
- [websec] HSTS: max-age=0 interacting with include… David Keeler
- Re: [websec] HSTS: max-age=0 interacting with inc… Adam Barth
- Re: [websec] HSTS: max-age=0 interacting with inc… Tobias Gondrom
- Re: [websec] HSTS: max-age=0 interacting with inc… Adam Barth
- Re: [websec] HSTS: max-age=0 interacting with inc… Tobias Gondrom
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH
- Re: [websec] HSTS: max-age=0 interacting with inc… Tobias Gondrom
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH
- Re: [websec] HSTS: max-age=0 interacting with inc… Adam Barth
- Re: [websec] HSTS: max-age=0 interacting with inc… Tobias Gondrom
- Re: [websec] HSTS: max-age=0 interacting with inc… Adam Barth
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH