![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
Opened 11 years ago
Closed 10 years ago
#8 closed defect (fixed)
clarify/explain behavior when STS header not returned by known HSTS Host
| Reported by: | jeff.hodges@… | Owned by: | =JeffH |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | strict-transport-sec | Version: | |
| Severity: | Active WG Document | Keywords: | |
| Cc: |
Description
http://www.ietf.org/mail-archive/web/websec/current/msg00045.html
Subject: Re: [websec] Some questions about HSTS
From: "Steingruebl, Andy" <asteingruebl@…>
Date: Mon, 22 Nov 2010 09:57:21 -0700 (08:57 PST)
To: Yoav Nir <ynir@…>, "'websec@…'" <websec@…>
<snip/>
My second question regards the UA behavior when policy changes. Suppose
a website has had the HSTS header for a while. The UA has a cache entry with
a TTL of several more weeks. Now the UA connects to the server (over
HTTPS) and does not get an HSTS header at all. What now? If there was a
header and it was merely changed, the spec says to update the cache entry.
But if the header is missing altogether, does that mean that the UA should
delete the cache entry?
I think we can make this clear, but until the client receives a new header, it does not tinker with the cache. We do say the header should be present in all /most server responses, but the behavior should be that the value persists until set to something else.
Change History (1)
comment:1 Changed 10 years ago by jeff.hodges@…
- Resolution set to fixed
- Status changed from new to closed
