Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

=JeffH <> Wed, 22 August 2012 00:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A666F21F8568 for <>; Tue, 21 Aug 2012 17:15:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.683
X-Spam-Status: No, score=-100.683 tagged_above=-999 required=5 tests=[AWL=-0.188, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MnDt+zEye0Wi for <>; Tue, 21 Aug 2012 17:15:10 -0700 (PDT)
Received: from (unknown [IPv6:2605:dc00:100:2::a3]) by (Postfix) with SMTP id C310321F8555 for <>; Tue, 21 Aug 2012 17:15:10 -0700 (PDT)
Received: (qmail 17446 invoked by uid 0); 22 Aug 2012 00:15:10 -0000
Received: from unknown (HELO ( by with SMTP; 22 Aug 2012 00:15:10 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=zBWS9AksFmDaRpnkzu2cp52Lj4TfJC+/NLrEfRu8bgg=; b=VFKyoYVGOr0h2cr+wl0Ubn73sMlrFEb99GQXC56eBY5D20M0rzJcqPGsU769HdIHpDoQ0liy1XxIJ/xmtp/IqttXbCwp2ac4MmC8oP7yKnhKFIAlDpbyn6Q9jByD3iGU;
Received: from [] (port=40898 helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1T3ybF-0003RE-PT; Tue, 21 Aug 2012 18:15:09 -0600
Message-ID: <>
Date: Tue, 21 Aug 2012 17:15:07 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Brian Smith <>, Tobias Gondrom <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Cc: IETF WebSec WG <>
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Aug 2012 00:15:11 -0000

Brian Smith added..
 > Tobias Gondrom wrote:
 >> Actually, the proposed text does not clarify it at all in my
 >> understanding. Maybe I did not make my point clear enough: the case in
 >> question is: does HSTS with max-age=0 and includeSubDomains mean you remove
 >> the HSTS flag (entry) for the subDomains as well (i.e. is this equivalent
 >> to receiving HSTS headers with max-age=0 for all subdomains)? You said "no"
 >> and that would be ok for me, but from the text you proposed this would
 >> still not be clear to me.
 >> Do you see what I mean?
 > I agree that the proposed change doesn't really make things less confusing.

Perhaps you could suggest mods to -12 that would help clarify it from your 

 > My understanding (based on this discussion) is that an HSTS header can only
 > modify the HSTS information for the same host that the HSTS header was
 > received on.


 > This means that the client should not modify any information for
 > based on information it receives from,


 >  and it
 > should not modify any information for based on information it
 > receives from


 > When making a connection to a host, the client reads the entry for the given
 > host, and for all parent domains that have includeSubdomains in their HSTS
 > entries.

essentially correct.  Rather, the UA examines any superdomain host (aka parent 
domain hosts) entries it may have and if any of them have includeSubdomains 
asserted, then HSTS Policy applies to the given host; otherwise HSTS Policy 
applies to the given host if it is a Known HSTS Host to that UA. Step 5 in 
Section 8.3.

 > After receiving an HSTS header from a given host, the client updates the
 > entry for the given host only.


 > When receiving an HSTS header and updating the
 > database, the client should never traverse the parent/child domain
 > hierarchy.