HTTP Strict Transport Security (HSTS)
draft-ietf-websec-strict-transport-sec-14
Note: This ballot was opened for revision 13 and is now closed.
(Stephen Farrell) Yes
Comment (2012-09-26 for -13)
This is a very well written document. Thanks! Only comment I have is that 6.1 says that directives are optional or required according to their definitions. Is it actually possible to define a new required directive without breaking interop with this spec? If not then I think saying that would be good.
(Barry Leiba) Yes
(Robert Sparks) (was Discuss) Yes
Comment (2012-09-29)
Thanks for addressing all of my comments.
(Sean Turner) Yes
Comment (2012-09-26 for -13)
I was going to say "Well written indeed" and leave it at that but I thought s14 was outstanding. In s11.2: Maybe make this a SHOULD: Additionally, server implementers should consider employing a default max-age value of zero in their deployment configuration systems. or say: Additionally, it is RECOMMENDED that server implementers employ a default max-age value of zero in their deployment configuration systems.
(Ron Bonica) No Objection
(Stewart Bryant) No Objection
(Gonzalo Camarillo) No Objection
Benoit Claise No Objection
(Ralph Droms) No Objection
(Wesley Eddy) No Objection
(Adrian Farrel) No Objection
(Brian Haberman) No Objection
(Russ Housley) No Objection
(Pete Resnick) No Objection
Comment (2012-09-27 for -13)
6.1: Additional directives extending the semantic functionality of the STS header field can be defined in other specifications, with a registry (having an IANA policy definition of IETF Review [RFC5226]) defined for them at such time. Is IETF Review really necessary? Seems to me "Specification Required" is more than sufficient, and I would not be completely averse to "First Come First Served". 15: Why not set up the directives registry now?