W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

STS user-agent processing and new max-age values

From: Sid Stamm <sidstamm@gmail.com>
Date: Fri, 11 Dec 2009 14:17:46 -0800
Message-ID: <fb1f0f230912111417o11b66b8g690b52f79a23e304@mail.gmail.com>
To: public-web-security@w3.org
Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Section 7.1 of the STS spec[0] describes that when a known STS server
sends a new STS header, the UA must update the cached information
about the server.   Some web Mozilla web developers interested in STS
are concerned that it is not clear enough how UAs will behave when the
same STS header is sent for every request -- they are in particular
concerned that it may not be obvious to some spec readers that the
cached data is "time-received + max-age" and not just the value of
max-age.   It currently reads:

"Update its cached information for the Known STS Server if the max-age
and/or includeSubDomains header field value tokens are conveying
information different than that already held by the UA."

Would it be possible/helpful to clarify this a bit, by mentioning that
the updated cached data includes any expiration times calculated based
on max-age *and* receipt time of the HTTP header?  This would
eliminate any possible confusion about max-age being a time-to-live,
not an expiration time.

-Sid

[0] http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html
Received on Friday, 11 December 2009 23:42:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT