On 29/06/2012 16:10, Steingruebl, Andy wrote:
The point of "this is testing" is the opposite: people who can't talk to you
because you've configured HSTS in a way inconsistent with your
actual site posture.
-Ekr
Can you give us an example of how/where you think this could occur and how it
is distinct from other ways you could using existing technology kill your site?
Maybe this is not a good example, but I am thinking that something like
OCSP retrieval failing on the client side is not something that would
show up in the webserver logs.
As an admittedly snarky example you could easily public a bad A record in DNS and you'd never see
any traffic at all, but there isn't a "test new A record flag" or "test new MX
server" flag in the DNS.
There is however "I am testing DKIM" flag published in DNS.
We assume that as part of deploying HSTS people do some basic checks like make
sure their website actually responds over HTTPS and generates webserver logs,
and they know which domain they are publishing HSTS records for.
Some specifics would help me a lot to understand the concerns.
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
