[websec] #37: Clarify that superdomain HSTS flag does not update max-age of subdomain's HSTS max-age and vice versa

"websec issue tracker" <trac+websec@trac.tools.ietf.org> Sun, 11 March 2012 16:47 UTC

Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id BD90221F87BC for <websec@ietfa.amsl.com>; Sun, 11 Mar 2012 09:47:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id epuEYYYnSE6f for <websec@ietfa.amsl.com>; Sun, 11 Mar 2012 09:47:40 -0700 (PDT)
Received: from gamay.tools.ietf.org (gamay.tools.ietf.org []) by ietfa.amsl.com (Postfix) with ESMTP id EAF7721F8754 for <websec@ietf.org>; Sun, 11 Mar 2012 09:47:37 -0700 (PDT)
Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1S6lvQ-0003jd-MW; Sun, 11 Mar 2012 12:47:16 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: "websec issue tracker" <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.12.2
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.2, by Edgewall Software
To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, tobias.gondrom@gondrom.org
X-Trac-Project: websec
Date: Sun, 11 Mar 2012 16:47:15 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/37
Message-ID: <067.4afd58f6d675d5bdb2f19d83a8c1d99a@trac.tools.ietf.org>
X-Trac-Ticket-ID: 37
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, tobias.gondrom@gondrom.org, jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false
Resent-Message-Id: <20120311164737.EAF7721F8754@ietfa.amsl.com>
Resent-Date: Sun, 11 Mar 2012 09:47:37 -0700 (PDT)
Resent-From: trac+websec@trac.tools.ietf.org
Cc: websec@ietf.org
Subject: [websec] #37: Clarify that superdomain HSTS flag does not update max-age of subdomain's HSTS max-age and vice versa
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2012 16:47:40 -0000

#37: Clarify that superdomain HSTS flag does not update max-age of subdomain's
HSTS max-age and vice versa

 The case is the following: A UA notes a superdomain e.g. example.com as a
 Known HSTS Host, with "includeSubDomains". Then after that the UA also
 receives a HSTS header from subdomain foo.example.com (with or without
 "includeSubDomains") and new max-age (longer or shorter time).
 The point is in that case the HSTS timer of the superdomain (example.com)
 MUST NOT be changed (extended or shortened) to the timer used in the
 In fact the UA MUST keep both timers in cache independently and if at some
 point either one of them is removed (be due to expiry or because of an
 update setting max-age=0), the second remaining HSTS value MUST still be
 kept intact and applied. This is mainly to prevent that a subdomain can
 invalidate the HSTS flag of the superdomain or make it expire and vice

 Reporter:               |      Owner:  draft-ietf-websec-strict-transport-
  tobias.gondrom@…       |  sec@…
     Type:  enhancement  |     Status:  new
 Priority:  major        |  Milestone:
Component:  strict-      |    Version:
  transport-sec          |   Keywords:
 Severity:  -            |

Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/37>
websec <http://tools.ietf.org/websec/>