Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

Adam Barth <ietf@adambarth.com> Mon, 13 August 2012 22:29 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B841921F86A5 for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 15:29:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3veZm4lAC47q for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 15:29:57 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4166D21F8620 for <websec@ietf.org>; Mon, 13 Aug 2012 15:29:57 -0700 (PDT)
Received: by yhq56 with SMTP id 56so4157116yhq.31 for <websec@ietf.org>; Mon, 13 Aug 2012 15:29:56 -0700 (PDT)
Received: by 10.236.138.138 with SMTP id a10mr12715123yhj.39.1344896996871; Mon, 13 Aug 2012 15:29:56 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by mx.google.com with ESMTPS id e24sm1537976yhh.4.2012.08.13.15.29.55 (version=SSLv3 cipher=OTHER); Mon, 13 Aug 2012 15:29:55 -0700 (PDT)
Received: by vcbfo14 with SMTP id fo14so4455801vcb.31 for <websec@ietf.org>; Mon, 13 Aug 2012 15:29:54 -0700 (PDT)
Received: by 10.220.154.148 with SMTP id o20mr9285986vcw.18.1344896994373; Mon, 13 Aug 2012 15:29:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.144.129 with HTTP; Mon, 13 Aug 2012 15:29:24 -0700 (PDT)
In-Reply-To: <50297CA6.6080506@mozilla.com>
References: <50297CA6.6080506@mozilla.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 13 Aug 2012 15:29:24 -0700
Message-ID: <CAJE5ia91-j4avKvvKSUj2P1K_U=EFwGd+feVqMNv8AtkWqSA7Q@mail.gmail.com>
To: David Keeler <dkeeler@mozilla.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: websec@ietf.org
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2012 22:29:57 -0000

The way the implementation in Chrome works is that max-age=0 only
clears the entry for that particular host name.  If there's another
shorter host name with includeSubdomains, that isn't affected.

Adam


On Mon, Aug 13, 2012 at 3:16 PM, David Keeler <dkeeler@mozilla.com> wrote:
> Hello,
>
> The current HSTS spec draft says "A max-age value of zero (i.e.,
> "max-age=0") signals the UA to cease regarding the host as a Known HSTS
> Host." (section 6.1.1) How does this interact with the includeSubdomains
> directive?
> For instance, if the UA receives an HSTS header with includeSubdomains
> from example.com but then receives an HSTS header with max-age=0 from
> sub.example.com, is sub.example.com to be noted as an HSTS host?
> Either way, I believe the language of the spec could be a bit more clear.
>
> Cheers,
> David Keeler
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec