- From: Sid Stamm <sidstamm@gmail.com>
- Date: Fri, 11 Dec 2009 14:17:46 -0800
- To: public-web-security@w3.org
- Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Section 7.1 of the STS spec[0] describes that when a known STS server sends a new STS header, the UA must update the cached information about the server. Some web Mozilla web developers interested in STS are concerned that it is not clear enough how UAs will behave when the same STS header is sent for every request -- they are in particular concerned that it may not be obvious to some spec readers that the cached data is "time-received + max-age" and not just the value of max-age. It currently reads: "Update its cached information for the Known STS Server if the max-age and/or includeSubDomains header field value tokens are conveying information different than that already held by the UA." Would it be possible/helpful to clarify this a bit, by mentioning that the updated cached data includes any expiration times calculated based on max-age *and* receipt time of the HTTP header? This would eliminate any possible confusion about max-age being a time-to-live, not an expiration time. -Sid [0] http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html
Received on Friday, 11 December 2009 23:42:08 UTC