HTTP Strict Transport Security (HSTS)
draft-ietf-websec-strict-transport-sec-14

Summary: Needs 5 more YES or NO OBJECTION positions to pass.

Note: This ballot was opened for revision 13 and is now closed.

Stephen Farrell Yes

Comment (2012-09-26 for -13)
This is a very well written document. Thanks!

Only comment I have is that 6.1 says that directives are
optional or required according to their definitions. Is it actually
possible to define a new required directive without breaking
interop with this spec? If not then I think saying that would
be good.

Barry Leiba Yes

( Robert Sparks ) (was Discuss) Yes

Comment (2012-09-29 for -14)
Thanks for addressing all of my comments.

( spt ) Yes

Comment (2012-09-26 for -13)
I was going to say "Well written indeed" and leave it at that but I thought s14
was outstanding.

In s11.2: Maybe make this a SHOULD:

 Additionally, server implementers should consider employing a default
 max-age value of zero in their deployment configuration systems.

or say:

 Additionally, it is RECOMMENDED that server implementers employ
 a default max-age value of zero in their deployment configuration
 systems.

( Ron Bonica ) No Objection

( Stewart Bryant ) No Objection

( Gonzalo Camarillo ) No Objection

Benoit Claise No Objection

( Ralph Droms ) No Objection

( Wesley Eddy ) No Objection

( Adrian Farrel ) No Objection

Brian Haberman No Objection

( Russ Housley ) No Objection

( Pete Resnick ) No Objection

Comment (2012-09-27 for -13)
6.1:

   Additional directives extending the semantic functionality of the STS
   header field can be defined in other specifications, with a registry
   (having an IANA policy definition of IETF Review [RFC5226]) defined
   for them at such time.

Is IETF Review really necessary? Seems to me "Specification Required" is more
than sufficient, and I would not be completely averse to "First Come First
Served".

15: Why not set up the directives registry now?

Martin Stiemerling No Objection