RFC Errata
RFC 6797, "HTTP Strict Transport Security (HSTS)", November 2012
Source of RFC: websec (app)
Errata ID: 5372
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Claudio Saavedra
Date Reported: 2018-05-29
Section 8.1 says:
o Update the UA's cached information for the Known HSTS Host if either or both of the max-age and includeSubDomains header field value tokens are conveying information different than that already maintained by the UA.
It should say:
o Update the UA's cached information for the Known HSTS Host.
Notes:
Section 8.1 states:
Update the UA's cached information for the Known HSTS Host if either
or both of the max-age and includeSubDomains header field value
tokens are conveying information different than that already
maintained by the UA.
The way I understand this is that if a HSTS host keeps sending the same values to a conforming client, this should not update the information cached and hence the cached information will expire after max-age seconds have passed since the _first_reception_ of this header.
However, section 11.2 states:
The "constant value into the future" approach can be accomplished by
constantly sending the same max-age value to UAs.
For example, a max-age value of 7776000 seconds is 90 days:
Strict-Transport-Security: max-age=7776000
Note that each receipt of this header by a UA will require the UA to
update its notion of when it must delete its knowledge of this Known
HSTS Host.
This seems to contradict what I quoted from section 8.1. If the server constantly sends a max-age of 7776000 and includeSubDomains is not changed (which is implicit in the example), then by 8.1 the cache
information won't be updated.
I believe that the desired implementation behavior is as described in 11.2, that is, UA must update the cached information, regardless of whether either of the max-age or includeSubDomains header field values are different from what is already maintained by the UA.