W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: STS and lockCA

From: Devdatta <dev.akhawe@gmail.com>
Date: Wed, 11 Nov 2009 01:36:31 -0800
Message-ID: <ecf35a1b0911110136v3681aad9s95b360320a722101@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Bil Corry <bil@corry.biz>, Gervase Markham <gerv@mozilla.org>, public-webapps@w3.org
>> One idea to consider, especially for lockCA, is to somehow denote that STS should expire at the same time
>> as the cert, perhaps by  omitting max-age or allowing max-age=cert, etc.  This will prevent accidentally
>> causing STS to last longer or shorter than the cert expiration, especially when it's rotated out or revoked.
>
> Why do we need a browser mechanism for that?  It seems like the site
> can easily compute whatever max-age value it wishes to set.

I am actually afraid that the website can easily miscompute that.

In general, with STS , I am afraid of sites miscalculating some
max-age like setting and taking themselves offline. Having browsers
automatically expire STS at the same time as the cert makes sense to
me. Sites that do their certs right do not lose any security
properties and sites that mess up worst case fall back to old
HTTP/HTTPS behaviour (and not take themselves offline).

You could ofcourse argue that STS site's admin won't be stupid. While
I wouldn't put my money on that, that's a assumption that the
specification free to make but should be explicit about (for e.g by
telling the spec reader : we are assuming you are smart, if you mess
up you can easily take your site offline)

Cheers
Devdatta

2009/11/11 Adam Barth <w3c@adambarth.com>:
> On Tue, Nov 10, 2009 at 7:40 PM, Bil Corry <bil@corry.biz> wrote:
>> Gervase Markham wrote on 10/01/2009 5:51 PM:
>>> I therefore propose a simple extension to the STS standard; a single
>>> token to be appended to the end of the header:
>>>
>>> lockCA
>>
>> One idea to consider, especially for lockCA, is to somehow denote that STS should expire at the same time as the cert, perhaps by omitting max-age or allowing max-age=cert, etc.  This will prevent accidentally causing STS to last longer or shorter than the cert expiration, especially when it's rotated out or revoked.
>
> Why do we need a browser mechanism for that?  It seems like the site
> can easily compute whatever max-age value it wishes to set.
>
> Adam
>
>
Received on Wednesday, 11 November 2009 09:37:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT