Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

=JeffH <> Tue, 21 August 2012 19:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B66E711E80F6 for <>; Tue, 21 Aug 2012 12:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.538
X-Spam-Status: No, score=-101.538 tagged_above=-999 required=5 tests=[AWL=0.727, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pEIdDGA697HP for <>; Tue, 21 Aug 2012 12:47:12 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 0504721F8709 for <>; Tue, 21 Aug 2012 12:47:11 -0700 (PDT)
Received: (qmail 23697 invoked by uid 0); 21 Aug 2012 19:46:47 -0000
Received: from unknown (HELO ( by with SMTP; 21 Aug 2012 19:46:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=9sS0W9CK0oSKnbKze5O+E1nfoKjmMs4ltGW/FJFPpEE=; b=EA5hdUF1N+RL7R3JHD/lpM9zIBCWD16p9d/95g92wiCJzG0yJfnw54l1pZF/5CZIBa97rsQF58X35oJ9mNq4dnrCY84hqhVoA5qjgNttpEpW85McPXxRQ8c9D8ZsnaeJ;
Received: from [] (port=38463 helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1T3uPX-00009T-7t; Tue, 21 Aug 2012 13:46:47 -0600
Message-ID: <>
Date: Tue, 21 Aug 2012 12:46:45 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Tobias Gondrom <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Cc: IETF WebSec WG <>
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Aug 2012 19:47:12 -0000

Tobias replied:
 > I replied:
 >> Tobias wrote
 >> > Look at it in reverse order:
 >> > 1. We visit and receive HSTS with
 >> > max-age=1234567890
 >> > 2. We visit and receive HSTS with max-age=0 ;
 >> > includeSubdomains
 >> >
 >> > as far as I remember that would actually clear HSTS for
 >> >
 >> No, it would not do so.  As Adam said, the user agent maintains a list
 >> of distinct host names which have issued the HSTS Policy (aka STS
 >> header field).
 >> The above scenario would result in no entry for, and an
 >> entry for
 > Fine by me. Am just wondering on whether this is unambiguous enough from
 > the draft?
 > Do we need to be more clear on that? Or did I miss a clarifying point on
 > that somewhere in the draft?

well, there's also the normative text about this in Section 8.1 
"Strict-Transport-Security Response Header Field Processing". But there's no 
forward reference to it from S 6.1.x.

I'll try to fix that, see below.

 > Specifically my confusion came when reading 6.1.1 and 6.1.2 and trying
 > to apply them as:
 > first 6.1.1.: "A max-age value of zero (i.e., "max-age=0") signals the UA to
 >            cease regarding the host as a Known HSTS Host."
 > and then the next sentence in 6.1.2. "..."includeSubDomains" directive
 > is a valueless flag which,
 >     if present, signals to the UA that the HSTS Policy applies to this
 > HSTS Host as well as any subdomains"
 > Could that be misread as "0" means cease HSTS and then
 > "includeSubDomains" extends that meaning to all subdomains?

no, that's not how it's supposed to work, but like I said above, the normative 
text is in section 8.1.

So, I've made some updates in my -13 working copy to try to polish this out a bit...


6.1.1.  The max-age Directive

    The REQUIRED "max-age" directive specifies the number of seconds,
    after the reception of the STS header field, during which the UA
    regards the host (from whom the message was received) as a Known HSTS
    Host. ...

    NOTE:  A max-age value of zero (i.e., "max-age=0") signals the UA to
           cease regarding the host as a Known HSTS Host, including the
           includeSubDomains flag (if set for that HSTS Host).  See also
           Section 8.1 "Strict-Transport-Security Response Header Field


8.1.  Strict-Transport-Security Response Header Field Processing


       The max-age value is essentially a "time to live" value relative
       to the reception time of the STS header field.

       If the max-age header field value token has a value of zero, the
       UA MUST remove its cached HSTS Policy information (including the
       includeSubDomains flag if set) if the HSTS Host is known, or, MUST
       NOT note this HSTS Host if it is not yet known.


note the now-explicit mention of treatment of the includeSubDomains flag in the 
above excerpts.

Does that help clarify things ?