Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 22 August 2012 00:14 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0B8F21F8568 for <websec@ietfa.amsl.com>; Tue, 21 Aug 2012 17:14:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.697
X-Spam-Level:
X-Spam-Status: No, score=-100.697 tagged_above=-999 required=5 tests=[AWL=-0.202, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGeeR3mAXUQE for <websec@ietfa.amsl.com>; Tue, 21 Aug 2012 17:14:40 -0700 (PDT)
Received: from oproxy9.bluehost.com (oproxy9.bluehost.com [IPv6:2605:dc00:100:2::a2]) by ietfa.amsl.com (Postfix) with SMTP id 061C921F8555 for <websec@ietf.org>; Tue, 21 Aug 2012 17:14:39 -0700 (PDT)
Received: (qmail 11875 invoked by uid 0); 22 Aug 2012 00:14:39 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy9.bluehost.com with SMTP; 22 Aug 2012 00:14:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=YWPIidrnRwNnkVu5KNLai6turaEGGeqol+SqbNesDLY=; b=Kb/oxPEyOM3UouAVABDUH/iOOeQs4OZS8iye9rDr8BA/pMvKFKhnFcqCImPS8EJSnGNSYxndmMQCoespRzxqGQJJnJV0JjKpvRWN1uTrd7RKCwg3NVcMCeYBNOET2+mv;
Received: from [24.4.122.173] (port=40893 helo=[192.168.11.12]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1T3yal-0002wc-BI; Tue, 21 Aug 2012 18:14:39 -0600
Message-ID: <5034246D.2060504@KingsMountain.com>
Date: Tue, 21 Aug 2012 17:14:37 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2012 00:14:42 -0000

Tobias asked:
 >
 > the case in question is: does HSTS with max-age=0 and includeSubDomains
 > mean you remove the HSTS flag (entry) for the subDomains as well ?

If you mean to ask whether a UA receiving this header from example.com..

   Strict-Transport-Security: max-age=0; includeSubDomains

..affects any _entries_ the UA may have in its HSTS list for subdomains of 
example.com, the answer is "no".

Also, receipt of the below header should be treated by the UA the same as 
receipt of the above header (where both headers are received from example.com)..

     Strict-Transport-Security: max-age=0


The intention is that receipt of an HSTS header field with "max-age=0" is 
treated the same regardless of the presence or absence of the includeSubDomains 
flag in the header field. The effect in both cases is to remove the entire entry 
for "example.com" from the UA's HSTS host list.

In other words, the UA maintains HSTS information indexed by hostname, and must 
receive an STS header from a given host (over a secure connection) in order to 
create, update, or delete HSTS info about the given host.

HTH,

=JeffH