Re: [websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)
On 03/01/12 08:22, Julian Reschke wrote: On 2012-01-03 07:26, Yoav Nir wrote: On Jan 3, 2012, at 1:29 AM, =JeffH wrote: Julian wondered.. wouldn't it make sense to have a default for max-age so it can be made OPTIONAL? hm ... I lean towards keeping max-age as REQUIRED (without a default value) and thus hopefully encouraging deployers to think a bit about this and its ramifications, and also because its value is so site-specific in terms of a web application's needs, deployment approach, and tolerance for downside risk of breaking itself. I tend to agree, but it's not deployers who are going to do the thinking - it's the implementers of web servers. So somewhere, in some control panel for IIS, or a config file for Apache, or some WebUI for some SSL-VPN, there's going to be a configuration to turn on HSTS, and that product is going to have a default max-age. The deployers are just going to check the box. I think we should provide guidance for those implementers as to what is a good default there. ... If we know a good default then it should be the default on the wire (IMHO). It would help getting predictable behavior when it's missing. (Right now the spec allows recipients to do anything they want then it's missing, right?) Best regards, Julian hat=individual well, the optimal default may actually be depending on the host. So we might want to describe what good values might be under which circumstances. E.g. long time-spans when using very trusted process and provider, shorter time-spans with less capable / higher risk of bricking yourself / loosing your private key / ... Thinking about the idea default of max-age = 0: AFAIK this would be equivalent to it being disabled, correct? (Not sure I'd like that: imagine in an Admin GUI you enable HSTS/Cert Pinning and then don't set the max-age and have basically disabled it) On the other hand I believe the optimal value would be host specific, and therefore there SHOULD NOT be a global default value !=0. :-( (= Thereby vanishing myself in a puff of logic...) Best regards, Tobias ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)
On 2012-01-03 07:26, Yoav Nir wrote: On Jan 3, 2012, at 1:29 AM, =JeffH wrote: Julian wondered.. wouldn't it make sense to have a default for max-age so it can be made OPTIONAL? hm ... I lean towards keeping max-age as REQUIRED (without a default value) and thus hopefully encouraging deployers to think a bit about this and its ramifications, and also because its value is so site-specific in terms of a web application's needs, deployment approach, and tolerance for downside risk of breaking itself. I tend to agree, but it's not deployers who are going to do the thinking - it's the implementers of web servers. So somewhere, in some control panel for IIS, or a config file for Apache, or some WebUI for some SSL-VPN, there's going to be a configuration to turn on HSTS, and that product is going to have a default max-age. The deployers are just going to check the box. I think we should provide guidance for those implementers as to what is a good default there. ... If we know a good default then it should be the default on the wire (IMHO). It would help getting predictable behavior when it's missing. (Right now the spec allows recipients to do anything they want then it's missing, right?) Best regards, Julian ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)
On Tue, Jan 3, 2012 at 12:22 AM, Julian Reschke julian.resc...@gmx.de wrote: On 2012-01-03 07:26, Yoav Nir wrote: On Jan 3, 2012, at 1:29 AM, =JeffH wrote: Julian wondered.. wouldn't it make sense to have a default for max-age so it can be made OPTIONAL? hm ... I lean towards keeping max-age as REQUIRED (without a default value) and thus hopefully encouraging deployers to think a bit about this and its ramifications, and also because its value is so site-specific in terms of a web application's needs, deployment approach, and tolerance for downside risk of breaking itself. I tend to agree, but it's not deployers who are going to do the thinking - it's the implementers of web servers. So somewhere, in some control panel for IIS, or a config file for Apache, or some WebUI for some SSL-VPN, there's going to be a configuration to turn on HSTS, and that product is going to have a default max-age. The deployers are just going to check the box. I think we should provide guidance for those implementers as to what is a good default there. ... If we know a good default then it should be the default on the wire (IMHO). It would help getting predictable behavior when it's missing. (Right now the spec allows recipients to do anything they want then it's missing, right?) We should define the behavior in any case, which I guess means I'm advocating an default max-age of zero. Adam ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
[websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)
Julian wondered.. wouldn't it make sense to have a default for max-age so it can be made OPTIONAL? hm ... I lean towards keeping max-age as REQUIRED (without a default value) and thus hopefully encouraging deployers to think a bit about this and its ramifications, and also because its value is so site-specific in terms of a web application's needs, deployment approach, and tolerance for downside risk of breaking itself. =JeffH ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
Re: [websec] default value for max-age ? (was: Re: Strict-Transport-Security syntax redux)
On Mon, Jan 2, 2012 at 3:29 PM, =JeffH jeff.hod...@kingsmountain.com wrote: Julian wondered.. wouldn't it make sense to have a default for max-age so it can be made OPTIONAL? hm ... I lean towards keeping max-age as REQUIRED (without a default value) and thus hopefully encouraging deployers to think a bit about this and its ramifications, and also because its value is so site-specific in terms of a web application's needs, deployment approach, and tolerance for downside risk of breaking itself. Makes sense to me. Chrome currently ignores the header if the server doesn't specify a max-age. Adam ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec