Re: [websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)

Adam Barth <ietf@adambarth.com> Tue, 03 January 2012 09:15 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC00F21F84BF for <websec@ietfa.amsl.com>; Tue, 3 Jan 2012 01:15:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jGQSHg4xIQ8 for <websec@ietfa.amsl.com>; Tue, 3 Jan 2012 01:15:15 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 51E6421F8472 for <websec@ietf.org>; Tue, 3 Jan 2012 01:15:15 -0800 (PST)
Received: by iabz21 with SMTP id z21so9347531iab.31 for <websec@ietf.org>; Tue, 03 Jan 2012 01:15:15 -0800 (PST)
Received: by 10.50.42.167 with SMTP id p7mr62510497igl.20.1325582114913; Tue, 03 Jan 2012 01:15:14 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id pb6sm79079148igc.5.2012.01.03.01.15.13 (version=SSLv3 cipher=OTHER); Tue, 03 Jan 2012 01:15:14 -0800 (PST)
Received: by iabz21 with SMTP id z21so9347495iab.31 for <websec@ietf.org>; Tue, 03 Jan 2012 01:15:13 -0800 (PST)
Received: by 10.50.47.136 with SMTP id d8mr61541361ign.21.1325582113234; Tue, 03 Jan 2012 01:15:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.62.139 with HTTP; Tue, 3 Jan 2012 01:14:42 -0800 (PST)
In-Reply-To: <4F02BABA.9070304@gmx.de>
References: <4F023DD0.8060308@KingsMountain.com> <D4D8FBAE-C04C-4396-A8B8-17F42874B1DF@checkpoint.com> <4F02BABA.9070304@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 3 Jan 2012 01:14:42 -0800
Message-ID: <CAJE5ia91GAKYH0ZQUAWSC6p9t_MO5aJGvCzoH_jfHcdmutCGVg@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 09:15:16 -0000

On Tue, Jan 3, 2012 at 12:22 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 2012-01-03 07:26, Yoav Nir wrote:
>>
>> On Jan 3, 2012, at 1:29 AM, =JeffH wrote:
>>
>>> Julian wondered..
>>>>
>>>>
>>>> wouldn't it make sense to have a default for max-age so it
>>>> can be made OPTIONAL?
>>>
>>>
>>> hm ... I lean towards keeping max-age as REQUIRED (without a default
>>> value) and
>>> thus hopefully encouraging deployers to think a bit about this and its
>>> ramifications, and also because its value is so site-specific in terms of
>>> a web
>>> application's needs, deployment approach, and tolerance for downside risk
>>> of
>>> breaking itself.
>>
>>
>> I tend to agree, but it's not deployers who are going to do the thinking -
>> it's the implementers of web servers.
>>
>> So somewhere, in some control panel for IIS, or a config file for Apache,
>> or some WebUI for some SSL-VPN, there's going to be a configuration to turn
>> on HSTS, and that product is going to have a default max-age. The deployers
>> are just going to check the box.
>>
>> I think we should provide guidance for those implementers as to what is a
>> good default there.
>> ...
>
>
> If we know a good default then it should be the default on the wire (IMHO).
> It would help getting predictable behavior when it's missing. (Right now the
> spec allows recipients to do anything they want then it's missing, right?)

We should define the behavior in any case, which I guess means I'm
advocating an default max-age of zero.

Adam