> The point of "this is testing" is the opposite: people who can't talk to you > because you've configured HSTS in a way inconsistent with your > actual site posture. > -Ekr
Can you give us an example of how/where you think this could occur and how it is distinct from other ways you could using existing technology kill your site? As an admittedly snarky example you could easily public a bad A record in DNS and you'd never see any traffic at all, but there isn't a "test new A record flag" or "test new MX server" flag in the DNS. We assume that as part of deploying HSTS people do some basic checks like make sure their website actually responds over HTTPS and generates webserver logs, and they know which domain they are publishing HSTS records for. Some specifics would help me a lot to understand the concerns. - Andy _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
