HTTP Strict Transport Security (HSTS)
draft-ietf-websec-strict-transport-sec-14

Note: This ballot was opened for revision 13 and is now closed.

Stephen Farrell Yes

This is a very well written document. Thanks!

Only comment I have is that 6.1 says that directives are 
optional or required according to their definitions. Is it actually 
possible to define a new required directive without breaking 
interop with this spec? If not then I think saying that would 
be good.

(Barry Leiba) Yes

(Robert Sparks) (was Discuss) Yes

Thanks for addressing all of my comments.

(Sean Turner) Yes

I was going to say "Well written indeed" and leave it at that but I thought s14 was outstanding.

In s11.2: Maybe make this a SHOULD:

 Additionally, server implementers should consider employing a default
 max-age value of zero in their deployment configuration systems.

or say:

 Additionally, it is RECOMMENDED that server implementers employ
 a default max-age value of zero in their deployment configuration
 systems.

(Ron Bonica) No Objection

(Stewart Bryant) No Objection

(Gonzalo Camarillo) No Objection

Benoit Claise No Objection

(Ralph Droms) No Objection

(Wesley Eddy) No Objection

(Adrian Farrel) No Objection

(Brian Haberman) No Objection

(Russ Housley) No Objection

(Pete Resnick) No Objection

6.1:

   Additional directives extending the semantic functionality of the STS
   header field can be defined in other specifications, with a registry
   (having an IANA policy definition of IETF Review [RFC5226]) defined
   for them at such time.

Is IETF Review really necessary? Seems to me "Specification Required" is more than sufficient, and I would not be completely averse to "First Come First Served".

15: Why not set up the directives registry now?

(Martin Stiemerling) No Objection