Re: [websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)

Julian Reschke <julian.reschke@gmx.de> Tue, 03 January 2012 08:22 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72E6321F849E for <websec@ietfa.amsl.com>; Tue, 3 Jan 2012 00:22:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.24
X-Spam-Level:
X-Spam-Status: No, score=-103.24 tagged_above=-999 required=5 tests=[AWL=-0.641, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PzPUzaoplW0 for <websec@ietfa.amsl.com>; Tue, 3 Jan 2012 00:22:23 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 22F7A21F84BA for <websec@ietf.org>; Tue, 3 Jan 2012 00:22:22 -0800 (PST)
Received: (qmail invoked by alias); 03 Jan 2012 08:22:21 -0000
Received: from p3EE26838.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.104.56] by mail.gmx.net (mp011) with SMTP; 03 Jan 2012 09:22:21 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19dq9dDgPtdMwoX+GNtQxJy9XDD5afusMMvMGhBwN QkUZ6xlRhpP4S+
Message-ID: <4F02BABA.9070304@gmx.de>
Date: Tue, 03 Jan 2012 09:22:18 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <4F023DD0.8060308@KingsMountain.com> <D4D8FBAE-C04C-4396-A8B8-17F42874B1DF@checkpoint.com>
In-Reply-To: <D4D8FBAE-C04C-4396-A8B8-17F42874B1DF@checkpoint.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 08:22:24 -0000

On 2012-01-03 07:26, Yoav Nir wrote:
> On Jan 3, 2012, at 1:29 AM, =JeffH wrote:
>
>> Julian wondered..
>>>
>>> wouldn't it make sense to have a default for max-age so it
>>> can be made OPTIONAL?
>>
>> hm ... I lean towards keeping max-age as REQUIRED (without a default value) and
>> thus hopefully encouraging deployers to think a bit about this and its
>> ramifications, and also because its value is so site-specific in terms of a web
>> application's needs, deployment approach, and tolerance for downside risk of
>> breaking itself.
>
> I tend to agree, but it's not deployers who are going to do the thinking - it's the implementers of web servers.
>
> So somewhere, in some control panel for IIS, or a config file for Apache, or some WebUI for some SSL-VPN, there's going to be a configuration to turn on HSTS, and that product is going to have a default max-age. The deployers are just going to check the box.
>
> I think we should provide guidance for those implementers as to what is a good default there.
> ...

If we know a good default then it should be the default on the wire 
(IMHO). It would help getting predictable behavior when it's missing. 
(Right now the spec allows recipients to do anything they want then it's 
missing, right?)

Best regards, Julian