Re: [websec] #37: Clarify that superdomain HSTS flag does not update max-age of subdomain's HSTS max-age and vice versa

"websec issue tracker" <trac+websec@trac.tools.ietf.org> Tue, 12 June 2012 18:24 UTC

Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F4A421F864A for <websec@ietfa.amsl.com>; Tue, 12 Jun 2012 11:24:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.399
X-Spam-Level:
X-Spam-Status: No, score=-101.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_63=0.6, J_CHICKENPOX_66=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKEExEDFEg93 for <websec@ietfa.amsl.com>; Tue, 12 Jun 2012 11:24:39 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [77.72.230.30]) by ietfa.amsl.com (Postfix) with ESMTP id E264C21F85C6 for <websec@ietf.org>; Tue, 12 Jun 2012 11:24:38 -0700 (PDT)
Received: from localhost ([127.0.0.1]:47104 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.77) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1SeVlW-0005c2-H5; Tue, 12 Jun 2012 20:24:30 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: "websec issue tracker" <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.12.2
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.2, by Edgewall Software
To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com
X-Trac-Project: websec
Date: Tue, 12 Jun 2012 18:24:30 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/37#comment:1
Message-ID: <082.d8f57bd071bc0cc49d717772feaf72e2@trac.tools.ietf.org>
References: <067.4afd58f6d675d5bdb2f19d83a8c1d99a@trac.tools.ietf.org>
X-Trac-Ticket-ID: 37
In-Reply-To: <067.4afd58f6d675d5bdb2f19d83a8c1d99a@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To:
Resent-Message-Id: <20120612182438.E264C21F85C6@ietfa.amsl.com>
Resent-Date: Tue, 12 Jun 2012 11:24:38 -0700 (PDT)
Resent-From: trac+websec@trac.tools.ietf.org
Cc: websec@ietf.org
Subject: Re: [websec] #37: Clarify that superdomain HSTS flag does not update max-age of subdomain's HSTS max-age and vice versa
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2012 18:24:39 -0000

#37: Clarify that superdomain HSTS flag does not update max-age of subdomain's
HSTS max-age and vice versa

#choose ticket.new
  #when True
 The case is the following: A UA notes a superdomain e.g. example.com as a
 Known HSTS Host, with "includeSubDomains". Then after that the UA also
 receives a HSTS header from subdomain foo.example.com (with or without
 "includeSubDomains") and new max-age (longer or shorter time).
 The point is in that case the HSTS timer of the superdomain (example.com)
 MUST NOT be changed (extended or shortened) to the timer used in the
 subdomain.
 In fact the UA MUST keep both timers in cache independently and if at some
 point either one of them is removed (be due to expiry or because of an
 update setting max-age=0), the second remaining HSTS value MUST still be
 kept intact and applied. This is mainly to prevent that a subdomain can
 invalidate the HSTS flag of the superdomain or make it expire and vice
 versa.
  #end
  #otherwise
    #if changes_body
Changes (by jeff.hodges@…):

 * status:  new => closed
 * resolution:   => fixed
 * severity:  - => In WG Last Call

    #end
    #if changes_descr
      #if not changes_body and not change.comment and change.author
Description changed by jeff.hodges@…:
      #end

--
    #end
    #if change.comment

Comment:

 fixed in -07
    #end
  #end
#end

-- 
-------------------------+-------------------------------------------------
 Reporter:               |       Owner:  draft-ietf-websec-strict-
  tobias.gondrom@…       |  transport-sec@…
     Type:  enhancement  |      Status:  closed
 Priority:  major        |   Milestone:
Component:  strict-      |     Version:
  transport-sec          |  Resolution:  fixed
 Severity:  In WG Last   |
  Call                   |
 Keywords:               |
-------------------------+-------------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/37#comment:1>
websec <http://tools.ietf.org/websec/>