- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Fri, 11 Dec 2009 14:46:49 -0800
- To: public-web-security@w3.org
thanks for the feedback, > Section 7.1 of the STS spec[0] describes that when a known STS server > sends a new STS header, the UA must update the cached information > about the server. Some web Mozilla web developers interested in STS > are concerned that it is not clear enough how UAs will behave when the > same STS header is sent for every request -- they are in particular > concerned that it may not be obvious to some spec readers that the > cached data is "time-received + max-age" and not just the value of > max-age. It currently reads: > > "Update its cached information for the Known STS Server if the max-age > and/or includeSubDomains header field value tokens are conveying > information different than that already held by the UA." > > Would it be possible/helpful to clarify this a bit, Yes, it is of course possible to clarify :) will do so in -06. I note that the definition of max-age in sec 5.1 needs work also. > by mentioning that > the updated cached data includes any expiration times calculated based > on max-age *and* receipt time of the HTTP header? This would > eliminate any possible confusion about max-age being a time-to-live, > not an expiration time. overall I think the right thing to do is clarify that max-age stipulates simply a cache-entry-time-to-live-after-STS-header-receipt. Perhaps also mention in section 10 UA advice that any timestamps derived from received max-age values may require consistent updating. =JeffH
Received on Friday, 11 December 2009 22:47:19 UTC