W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: STS user-agent processing and new max-age values

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Fri, 11 Dec 2009 14:46:49 -0800
Message-ID: <4B22CBD9.2090603@KingsMountain.com>
To: public-web-security@w3.org
thanks for the feedback,


 > Section 7.1 of the STS spec[0] describes that when a known STS server
 > sends a new STS header, the UA must update the cached information
 > about the server.   Some web Mozilla web developers interested in STS
 > are concerned that it is not clear enough how UAs will behave when the
 > same STS header is sent for every request -- they are in particular
 > concerned that it may not be obvious to some spec readers that the
 > cached data is "time-received + max-age" and not just the value of
 > max-age.   It currently reads:
 >
 > "Update its cached information for the Known STS Server if the max-age
 > and/or includeSubDomains header field value tokens are conveying
 > information different than that already held by the UA."
 >
 > Would it be possible/helpful to clarify this a bit,

Yes, it is of course possible to clarify  :)   will do so in -06.

I note that the definition of max-age in sec 5.1 needs work also.


 > by mentioning that
 > the updated cached data includes any expiration times calculated based
 > on max-age *and* receipt time of the HTTP header?  This would
 > eliminate any possible confusion about max-age being a time-to-live,
 > not an expiration time.

overall I think the right thing to do is clarify that max-age stipulates simply 
a cache-entry-time-to-live-after-STS-header-receipt. Perhaps also mention in 
section 10 UA advice that any timestamps derived from received max-age values 
may require consistent updating.

=JeffH
Received on Friday, 11 December 2009 22:47:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT