Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
Tobias Gondrom <tobias.gondrom@gondrom.org> Sat, 18 August 2012 18:58 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6378D21F8460 for <websec@ietfa.amsl.com>; Sat, 18 Aug 2012 11:58:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.717
X-Spam-Level:
X-Spam-Status: No, score=-96.717 tagged_above=-999 required=5 tests=[AWL=-1.355, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0HMkPF2ZBW0o for <websec@ietfa.amsl.com>; Sat, 18 Aug 2012 11:58:21 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 8448C21F844E for <websec@ietf.org>; Sat, 18 Aug 2012 11:58:20 -0700 (PDT)
Received: (qmail 15462 invoked from network); 18 Aug 2012 20:58:19 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.65?) (94.194.102.93) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 18 Aug 2012 20:58:19 +0200
Message-ID: <502FE5CA.6070501@gondrom.org>
Date: Sat, 18 Aug 2012 19:58:18 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: websec@ietf.org
References: <50297CA6.6080506@mozilla.com> <CAJE5ia91-j4avKvvKSUj2P1K_U=EFwGd+feVqMNv8AtkWqSA7Q@mail.gmail.com>
In-Reply-To: <CAJE5ia91-j4avKvvKSUj2P1K_U=EFwGd+feVqMNv8AtkWqSA7Q@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Aug 2012 18:58:21 -0000
Hi David and Adam, that was my understanding from the draft so far, too. See section 6.1.2 first paragraph. Having said that, David may be right and we could be more explicit about that max-age=0 and includeSubDomains does not ref up in the tree. (for example by adding one more example). It was clear to me from the text, but well I can be too deep in things from time to time and take things for granted. Any other opinions on this? Best, Tobias On 13/08/12 23:29, Adam Barth wrote: > The way the implementation in Chrome works is that max-age=0 only > clears the entry for that particular host name. If there's another > shorter host name with includeSubdomains, that isn't affected. > > Adam > > > On Mon, Aug 13, 2012 at 3:16 PM, David Keeler <dkeeler@mozilla.com> wrote: >> Hello, >> >> The current HSTS spec draft says "A max-age value of zero (i.e., >> "max-age=0") signals the UA to cease regarding the host as a Known HSTS >> Host." (section 6.1.1) How does this interact with the includeSubdomains >> directive? >> For instance, if the UA receives an HSTS header with includeSubdomains >> from example.com but then receives an HSTS header with max-age=0 from >> sub.example.com, is sub.example.com to be noted as an HSTS host? >> Either way, I believe the language of the spec could be a bit more clear. >> >> Cheers, >> David Keeler >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] HSTS: max-age=0 interacting with include… David Keeler
- Re: [websec] HSTS: max-age=0 interacting with inc… Adam Barth
- Re: [websec] HSTS: max-age=0 interacting with inc… Tobias Gondrom
- Re: [websec] HSTS: max-age=0 interacting with inc… Adam Barth
- Re: [websec] HSTS: max-age=0 interacting with inc… Tobias Gondrom
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH
- Re: [websec] HSTS: max-age=0 interacting with inc… Tobias Gondrom
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH
- Re: [websec] HSTS: max-age=0 interacting with inc… Adam Barth
- Re: [websec] HSTS: max-age=0 interacting with inc… Tobias Gondrom
- Re: [websec] HSTS: max-age=0 interacting with inc… Adam Barth
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH
- Re: [websec] HSTS: max-age=0 interacting with inc… =JeffH