![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
Opened 10 years ago
Closed 10 years ago
#37 closed enhancement (fixed)
Clarify that superdomain HSTS flag does not update max-age of subdomain's HSTS max-age and vice versa
| Reported by: | tobias.gondrom@… | Owned by: | draft-ietf-websec-strict-transport-sec@… |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | strict-transport-sec | Version: | |
| Severity: | In WG Last Call | Keywords: | |
| Cc: | jeff.hodges@… |
Description
The case is the following: A UA notes a superdomain e.g. example.com as a Known HSTS Host, with "includeSubDomains". Then after that the UA also receives a HSTS header from subdomain foo.example.com (with or without "includeSubDomains") and new max-age (longer or shorter time).
The point is in that case the HSTS timer of the superdomain (example.com) MUST NOT be changed (extended or shortened) to the timer used in the subdomain.
In fact the UA MUST keep both timers in cache independently and if at some point either one of them is removed (be due to expiry or because of an update setting max-age=0), the second remaining HSTS value MUST still be kept intact and applied. This is mainly to prevent that a subdomain can invalidate the HSTS flag of the superdomain or make it expire and vice versa.
Change History (1)
comment:1 Changed 10 years ago by jeff.hodges@…
- Resolution set to fixed
- Severity changed from - to In WG Last Call
- Status changed from new to closed
fixed in -07