datatracker.ietf.org
Sign in
Version 5.6.2.p5, 2014-08-04
Report a bug

HTTP Strict Transport Security (HSTS)
draft-ietf-websec-strict-transport-sec-14

Note: This ballot was opened for revision 13 and is now closed.

Summary: Needs 3 more YES or NO OBJECTION positions to pass.

Pete Resnick

Comment (2012-09-27 for -13)

6.1:

   Additional directives extending the semantic functionality of the STS
   header field can be defined in other specifications, with a registry
   (having an IANA policy definition of IETF Review [RFC5226]) defined
   for them at such time.

Is IETF Review really necessary? Seems to me "Specification Required" is more
than sufficient, and I would not be completely averse to "First Come First
Served".

15: Why not set up the directives registry now?

Stephen Farrell

Comment (2012-09-26 for -13)

This is a very well written document. Thanks!

Only comment I have is that 6.1 says that directives are
optional or required according to their definitions. Is it actually
possible to define a new required directive without breaking
interop with this spec? If not then I think saying that would
be good.

[Robert Sparks]

Comment (2012-09-29 for -14)

Thanks for addressing all of my comments.

[Sean Turner]

Comment (2012-09-26 for -13)

I was going to say "Well written indeed" and leave it at that but I thought s14
was outstanding.

In s11.2: Maybe make this a SHOULD:

 Additionally, server implementers should consider employing a default
 max-age value of zero in their deployment configuration systems.

or say:

 Additionally, it is RECOMMENDED that server implementers employ
 a default max-age value of zero in their deployment configuration
 systems.