From Robert.Vuj.Linder@outlook.com Fri May 4 13:11:59 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A71712D955 for ; Fri, 4 May 2018 13:11:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9vyIlNz0eE1 for ; Fri, 4 May 2018 13:11:57 -0700 (PDT) Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-oln040092065032.outbound.protection.outlook.com [40.92.65.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C12281200C1 for ; Fri, 4 May 2018 13:11:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=s/9gVLZfRMBUNRWXqwEDGba/VnnBhlWMexHaTxU4g1M=; b=XQjdCXJ59Z7/LpYRudJX+qmcJtr8R6Q3dRTmv26VlJygQ/j+O2yjmYQ9nFW+8FeZJfDyJrlZjOGf1EYOKsEBitKdybwVORm26yhUkaVZwOahuLMYBFAJCwp0nuZ98s8nFHV5qYHPyq7sXUuN4J85T68oWggUAFBnK9DsGSZOOkRb/MLLK2zPHz0Ji+8UCpIkHysBhgDzWM2flx+LZ2yr8edhD+48hMb6RL2zjwgab1ewCUIyxS1tshKnppBDiO8cp8DlXrM83YN3nugJSMo8HCycJdgCeG/U3Cd3EKgwOfZnPbx2gRv4V2eKbohjrw6eiDs48pVbLvSc45wrWeho3A== Received: from VE1EUR01FT036.eop-EUR01.prod.protection.outlook.com (10.152.2.53) by VE1EUR01HT205.eop-EUR01.prod.protection.outlook.com (10.152.3.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.715.13; Fri, 4 May 2018 20:11:54 +0000 Received: from CWXP265MB0312.GBRP265.PROD.OUTLOOK.COM (10.152.2.59) by VE1EUR01FT036.mail.protection.outlook.com (10.152.3.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.715.13 via Frontend Transport; Fri, 4 May 2018 20:11:54 +0000 Received: from CWXP265MB0312.GBRP265.PROD.OUTLOOK.COM ([fe80::5523:b422:fe62:edda]) by CWXP265MB0312.GBRP265.PROD.OUTLOOK.COM ([fe80::5523:b422:fe62:edda%13]) with mapi id 15.20.0715.024; Fri, 4 May 2018 20:11:53 +0000 From: Robert Linder To: "websec@ietf.org" Thread-Topic: Regarding RFC 6797 Thread-Index: AQHT4+QVi9rO06JEP0CuaMChnEmmGQ== Date: Fri, 4 May 2018 20:11:53 +0000 Message-ID: Accept-Language: sv-SE, en-US Content-Language: sv-SE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:C2514A717907CDE0A685528C75189CDDE6E7D5BF3A8979979C0B113D682CFC30; UpperCasedChecksum:FF0168E479A7988AEE2801A0EDAE8E7E1D7B395BB889BBC38750EB0327980FFD; SizeAsReceived:6785; Count:43 x-tmn: [9HR48thwQmO8p4ByQZrSIDYQZvzwC/kt] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VE1EUR01HT205; 7:XYWNgSMqQ9dksDAJe/qBPSZZwHu2lD/bJQpTp5zY1O5qRW4hQIdVD7HSXwFqnW0fYPKfyfcRvzYIG/5xMT6W/N+d8QLPEgSDu+rqTBFktm3LoQqag+qM918tfiOF1a0SttuMaS4gqhj92WbLbcpWqUPNkYhG6f/YEPTZvOcq7ejNk7BwE0A57UEwBrvmd5ngFtdvRmNR5nFJvu5d3vivR9ttyto54tAEZjGVV3j5+PVgvhpC9d0K1e+h5ayAqLf5 x-incomingheadercount: 43 x-eopattributedmessage: 0 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125374)(1701031045); SRVR:VE1EUR01HT205; x-ms-traffictypediagnostic: VE1EUR01HT205: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:VE1EUR01HT205; BCL:0; PCL:0; RULEID:; SRVR:VE1EUR01HT205; x-forefront-prvs: 06628F7CA4 x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:VE1EUR01HT205; H:CWXP265MB0312.GBRP265.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:; x-microsoft-antispam-message-info: zh/CGrMYuC4ktaALI45AUirvcZPrXgO4rqkbkXV77TMvyRqxdK6ocZX7LdXSYmCK/+Vj2dOFy+gtodiM949MvDMaAGBc5A7j13SjHXHG38P5LiLqh6VZjRbgVeJ6VdP6IfAzqqugQRRQ+iiCF1gklZec6DqYnKUfSx6eOafOP6N9xAXNDw0MJwJwUQPkXeA/ Content-Type: multipart/alternative; boundary="_000_CWXP265MB03125F1F074DBA2FDA1E1D2BB1860CWXP265MB0312GBRP_" MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: 0a95625b-34fe-45fd-8b3a-08d5b1fb4796 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 7181d4b0-87d6-4f4e-ba33-0d3746212cec X-MS-Exchange-CrossTenant-Network-Message-Id: 0a95625b-34fe-45fd-8b3a-08d5b1fb4796 X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 7181d4b0-87d6-4f4e-ba33-0d3746212cec X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2018 20:11:53.7030 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT205 Archived-At: X-Mailman-Approved-At: Mon, 07 May 2018 08:13:14 -0700 Subject: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 May 2018 23:36:30 -0000 --_000_CWXP265MB03125F1F074DBA2FDA1E1D2BB1860CWXP265MB0312GBRP_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi, I would like to propose the addition of the =94immutable=94 directive (simi= lar to that of RFC 8246) for the HSTS header field (RFC 6797). Best Regards, Robert Linder --_000_CWXP265MB03125F1F074DBA2FDA1E1D2BB1860CWXP265MB0312GBRP_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Hi,

 

I would like to propose the addition of the =94immut= able=94 directive (similar to that of RFC 8246) for the HSTS header field (= RFC 6797).

 

Best Regards,

Robert Linder

 

--_000_CWXP265MB03125F1F074DBA2FDA1E1D2BB1860CWXP265MB0312GBRP_-- From nobody Mon May 7 12:55:08 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0931C129C56 for ; Mon, 7 May 2018 12:55:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PlfkoNpUo_-l for ; Mon, 7 May 2018 12:55:05 -0700 (PDT) Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7869129C53 for ; Mon, 7 May 2018 12:55:04 -0700 (PDT) Received: by mail-wr0-x232.google.com with SMTP id i14-v6so26782259wre.2 for ; Mon, 07 May 2018 12:55:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=MSeKti4y+Z6Gzf8vNtna1bpabA34F09HCNqVx1OvDAY=; b=Ijg2Y9haZH1nMFBJSxHwQFgnA/nfp53rxwJU8AKCixaLxKUBiO16sE0mCNrw6ycFqp 80fyJW2Hy23puRqZPu0JrAbPudJmUJ0LttbKfszKRlnj9l/G/RPpz9r+3gzpq3nX63Fj hAweBD4qjyowDVZJMzKATCIfV37fkjzP+RcG8utAnrBLkZSCt6+gfUvvUr/i3UCH6tcd BuXFPCl0d4vI0B2gZAYFa1odZG03Gs69poj69nslx/H8ba/tik2Fj8Nc9urgZHoHV/DL fTgXXIeylx0HpBOsDb2LwgvuWdHZOzzUjokE1pDU08Lv9WYR3t/c4/pD3PT9GTTqY9du 3dlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=MSeKti4y+Z6Gzf8vNtna1bpabA34F09HCNqVx1OvDAY=; b=Eewd/XuX6h8kdg2WGnXFpN36eKnLEdMdw2PjsStmCPFS7JErkoVraMgmqGum6D+5YD QdeUnBYtKNHJoOToB+RPABgzLNqfEe+AfJ8Yi+Xg5p7YfSSF9UTf9ILrb9an4dkgaUVK keX3+K0MVSumV4BwpKWmdIx0MynevGwQOx4stEHG79bzEI0d8MDL5rrNmCkSOA9DPhm3 Ahr4tqBPeUupT+EpOmUYvS4rLSTgE3+pQi9ZftnnBpqEQXkky5qhTm/UR4y6OKzplwsF xaI2bXP9ReAbqAyjVd4jWF7gzbEgKa6QURIm4K7EdM07l/W9xEWDRr/lGVSniJCREJgg vGlw== X-Gm-Message-State: ALQs6tAJJvFFFQ7MXQ60+Y5Q1yxOtFpIW9gGV52E1f2QfJw0so5+udkB wdS+essoH24bm1HAMSyHpyc= X-Google-Smtp-Source: AB8JxZqRf8g6wqxQzoqg17xbT5ySysAHRjLigQjVoSlqoi00CXscIihNwBnqUfbna+61y3QOqQ5oRA== X-Received: by 2002:adf:87e1:: with SMTP id c30-v6mr29281933wrc.246.1525722903259; Mon, 07 May 2018 12:55:03 -0700 (PDT) Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id j1-v6sm24313930wre.25.2018.05.07.12.55.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 May 2018 12:55:02 -0700 (PDT) From: Yoav Nir Message-Id: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> Content-Type: multipart/signed; boundary="Apple-Mail=_8790157E-F6AE-4110-A6A5-B08DC9B95A21"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Date: Mon, 7 May 2018 22:54:59 +0300 In-Reply-To: Cc: "websec@ietf.org" To: Robert Linder References: X-Mailer: Apple Mail (2.3445.6.18) Archived-At: Subject: Re: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2018 19:55:07 -0000 --Apple-Mail=_8790157E-F6AE-4110-A6A5-B08DC9B95A21 Content-Type: multipart/alternative; boundary="Apple-Mail=_FD9574A7-8395-4E8D-B22E-D227C981325A" --Apple-Mail=_FD9574A7-8395-4E8D-B22E-D227C981325A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 4 May 2018, at 23:11, Robert Linder = wrote: >=20 > Hi, >=20 > I would like to propose the addition of the =E2=80=9Dimmutable=E2=80=9D = directive (similar to that of RFC 8246) for the HSTS header field (RFC = 6797). Immutable meaning that the HSTS header is permanent and can never be = removed? So if a user agent has seen an immutable HSTS header once, = that site has to be (valid) HTTPS-only forever? Interesting idea. Anyway, the WebSec working group has been closed for several years now. = If you would like to extend HSTS, you should submit an individual draft = (something with a name like draft-linder-hsts-immutable-00). You can then discuss the draft either here or in the secdispatch mailing = list (more technical discussion goes here; procedural discussion goes = there). You can also ask to present your draft at the meeting of the SecDispatch = working group at the next IETF meeting (this July in Montreal, or the = one after that: November in Bangkok). The purpose of the SecDispatch = working group is to recommend what to do with new drafts - either spin = up a new working group, or find an existing working group to work on = this, or ask an Area Director to sponsor the draft as an individual = submission. Hope this helps Yoav (former co-chair of WebSec) --Apple-Mail=_FD9574A7-8395-4E8D-B22E-D227C981325A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 4 May 2018, at 23:11, Robert Linder <Robert.Vuj.Linder@outlook.com> wrote:

Hi,
 
I would = like to propose the addition of the =E2=80=9Dimmutable=E2=80=9D = directive (similar to that of RFC 8246) for the HSTS header field (RFC = 6797).

Immutable meaning that the HSTS header is = permanent and can never be removed?  So if a user agent has seen an = immutable HSTS header once, that site has to be (valid) HTTPS-only = forever?

Interesting = idea.  

Anyway, the WebSec working group has been closed for several = years now.  If you would like to extend HSTS, you should submit an = individual draft (something with a name like = draft-linder-hsts-immutable-00).

You can then discuss the draft either = here or in the secdispatch mailing list (more technical discussion goes = here; procedural discussion goes there).

You can also ask to present your draft = at the meeting of the SecDispatch working group at the next IETF meeting = (this July in Montreal, or the one after that: November in Bangkok). The = purpose of the SecDispatch working group is to recommend what to do with = new drafts - either spin up a new working group, or find an existing = working group to work on this, or ask an Area Director to sponsor the = draft as an individual submission.

Hope this helps

Yoav
(former = co-chair of WebSec)
= --Apple-Mail=_FD9574A7-8395-4E8D-B22E-D227C981325A-- --Apple-Mail=_8790157E-F6AE-4110-A6A5-B08DC9B95A21 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE9OWnAqT2UIzvSbaAuEkLFQpYzJkFAlrwrxMACgkQuEkLFQpY zJmIVAf+I/SzqFHGXgzn12Szvrc99Tszoc9BKpQgCMUMEtoNcBQIjWTSqHRizR97 zEPUy+AP1aARzEZNbCDvxFj7kb6/EmHgI7wEGBz0JHYqa4nfKrT6ktKjH0I9B4C+ JAuAPMcB04NsizQmxHuliFTsVUJkYbN8eAE7YGlwWAxh2UTFTAzVDAmDLolrTVrd KmcEmwcAokuCdJ378fiQVc5MsWv32+Z+brLwb9/6OB+b7VDpN8isaLWoqhMDBsNB u+Lnpv5fkLgXOGsId333B14uUQJuK/rOs2UAomp1aqiquaXJU/AoJBvoKJUZIb3x 3vdLCui3Ct6sOp5h0cncMeGfH9kkvw== =tuhP -----END PGP SIGNATURE----- --Apple-Mail=_8790157E-F6AE-4110-A6A5-B08DC9B95A21-- From nobody Tue May 8 00:48:05 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16BB61271FD for ; Tue, 8 May 2018 00:48:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.019 X-Spam-Level: X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=annevk.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hHj2DemwR4R for ; Tue, 8 May 2018 00:48:01 -0700 (PDT) Received: from homiemail-a2.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DC0D1270B4 for ; Tue, 8 May 2018 00:48:01 -0700 (PDT) Received: from homiemail-a2.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a2.g.dreamhost.com (Postfix) with ESMTP id 76F29280072 for ; Tue, 8 May 2018 00:48:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=annevk.nl; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc: content-type; s=annevk.nl; bh=IRMq4Ob3xu7OUk0zX+ki8q5Lj7E=; b=Z0 woMs8Dm5A/SxN5WemuFXLPEikhm1nrHkpiDfmhZ8rqGve5/Nc/deGlW4jRJS/6vD 6kE4/pqxG6uwS4A8hr1AZ71znan3Z9t1SGYo6emO5YoYorIjf1hJzlGjOBxnaSuo Kk1rU25+1TE76vmDIhvmxIKroQVfQouvZb3qFjRBw= Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: annevk@annevk.nl) by homiemail-a2.g.dreamhost.com (Postfix) with ESMTPSA id 50C59280062 for ; Tue, 8 May 2018 00:48:00 -0700 (PDT) Received: by mail-wm0-f41.google.com with SMTP id t11so17214091wmt.0 for ; Tue, 08 May 2018 00:48:00 -0700 (PDT) X-Gm-Message-State: ALQs6tARaazzOhkPTs3WcPGPcMPSISQrWB4UJ705bGcntfbMCoAvnBt8 DsVT/kXXQ65cY5VRZf7UKxWugAQ6Op5Ukz7TSg== X-Google-Smtp-Source: AB8JxZpQb6iVQR5pA9WFy9QGB6TSOlfrTbtA2esD1DifVrlC+HbwBbThsOpJPUYQuqfViVEHj6at2Heipw+UUl9QKjQ= X-Received: by 2002:a50:ee15:: with SMTP id g21-v6mr47762328eds.269.1525765678738; Tue, 08 May 2018 00:47:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.138.2 with HTTP; Tue, 8 May 2018 00:47:57 -0700 (PDT) In-Reply-To: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> References: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> From: Anne van Kesteren Date: Tue, 8 May 2018 09:47:57 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Yoav Nir Cc: Robert Linder , "websec@ietf.org" Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2018 07:48:03 -0000 On Mon, May 7, 2018 at 9:54 PM, Yoav Nir wrote: > Immutable meaning that the HSTS header is permanent and can never be > removed? So if a user agent has seen an immutable HSTS header once, that > site has to be (valid) HTTPS-only forever? > > Interesting idea. FWIW, if anything, it should be about standardizing https://hstspreload.org/. That's already the widely adopted practice to mostly-immutable HSTS. (Not quite sure truly-immutable is feasible, other than using a TLD that has HSTS as policy. And even then TLDs get reassigned or disappear at times...) -- https://annevankesteren.nl/ From nobody Tue May 8 11:18:26 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB46B1277BB for ; Tue, 8 May 2018 11:18:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.709 X-Spam-Level: X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gsa.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTwcwKCSH7jV for ; Tue, 8 May 2018 11:18:21 -0700 (PDT) Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F24871274D2 for ; Tue, 8 May 2018 11:18:20 -0700 (PDT) Received: by mail-qk0-x234.google.com with SMTP id h19so25430508qkj.10 for ; Tue, 08 May 2018 11:18:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gsa.gov; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JK7ezhdgTaJAjfe4Kdn11x6gZW4e3RxLswkHyTqJqHI=; b=ck0E4F5OFRBRKoUhU5eLMFbT6WwasIcw/muvgFYyNoG81mFFIP61k1LfQk5aZ9r5QX bm6m6+PyPaRma3Y6d/GVmNh/hUWrfpqfbjatvPyvTHGOuJPLV8+EBeaZ03V+eHP8vo0k NHs4sLJN4wVJRDm3s4qDyrySSxSIpNiPxn9vQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JK7ezhdgTaJAjfe4Kdn11x6gZW4e3RxLswkHyTqJqHI=; b=WI7Njjjjaut0NLOUU/fcpEVqJgshNFFHM3peaLtknn81woyj6SnnVzYZcP2osFS6EK 7VyTVrXowX7uwG/4EJEMDU94ju5wChvLhpdgKltLVqsglYytQBRbHFvZ77UUn4nUwEt6 wpa7Dat42Q2sNXsT9ZWz86czaWFtFwefKNBPmfNVT6zep8BsafGAXRkU5cujFNyJ3eK1 /LpWzzLm3zWpmE4wecXEC0qgxnB60XQ3bTMcxzQMpQuLAiWDLUDs0dHeJJqjtFpeXULZ 37Kxuw9ZOhP+FIZvRizoT59X3S2nbzlP3SwZOZjwaTU5St62gTxbTZOzL41q1L2TZ3vb 95UQ== X-Gm-Message-State: ALQs6tDuat5JWg5yfyYU2wMq0gpibyWHM46OhromjeNWk8dNcMjtMO0l N+Ing0lY2i7e4cJ3qwV13H3nGL8lUcKoHXeem8DqiQ== X-Google-Smtp-Source: AB8JxZrO5lQQ8GbWhARxOti+FzbmZkSZ27BXNofpOPoICMv4mpjkBGRD66LsPq0SCd6w6KxwXEoEqrgJJgMY8gGbOJo= X-Received: by 10.55.19.2 with SMTP id d2mr35642804qkh.258.1525803499360; Tue, 08 May 2018 11:18:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.176.253 with HTTP; Tue, 8 May 2018 11:17:38 -0700 (PDT) In-Reply-To: References: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> From: Eric Mill Date: Tue, 8 May 2018 14:17:38 -0400 Message-ID: To: Anne van Kesteren Cc: Yoav Nir , Robert Linder , "websec@ietf.org" Content-Type: multipart/alternative; boundary="001a113ff848947a5c056bb5cf27" Archived-At: Subject: Re: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2018 18:18:25 -0000 --001a113ff848947a5c056bb5cf27 Content-Type: text/plain; charset="UTF-8" On Tue, May 8, 2018 at 3:47 AM, Anne van Kesteren wrote: > On Mon, May 7, 2018 at 9:54 PM, Yoav Nir wrote: > > Immutable meaning that the HSTS header is permanent and can never be > > removed? So if a user agent has seen an immutable HSTS header once, that > > site has to be (valid) HTTPS-only forever? > > > > Interesting idea. > > FWIW, if anything, it should be about standardizing > https://hstspreload.org/. That's already the widely adopted practice > to mostly-immutable HSTS. (Not quite sure truly-immutable is feasible, > other than using a TLD that has HSTS as policy. And even then TLDs get > reassigned or disappear at times...) > There is a list that could be used to discuss that, run by Chrome but with members from other browsers: https://groups.google.com/a/chromium.org/forum/#!forum/hsts-discuss I also discussed some ideas with Lucas Garron (then on the Chrome team) in late 2016 / early 2017 about how to standardize a way for public suffixes to automatically request preloading, which we sketched out here: https://docs.google.com/document/d/1fngkzHVBRRzYKWgiKDiUrOqWDUkDBbbTXAbo4BHEAoI/edit#heading=h.au203bjfkch0 In the end we didn't do anything sophisticated or standard, and instead .gov just emails new domains in small, regular batches to Chrome and Firefox for preloading. But moving the preloading process towards standardization seems like it would be positive for everyone. -- Eric > > -- > https://annevankesteren.nl/ > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > -- Eric Mill Senior Advisor, Technology Transformation Services Federal Acquisition Service, GSA eric.mill@gsa.gov, +1-617-314-0966 --001a113ff848947a5c056bb5cf27 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, May 8, 2018 at 3:47 AM, Anne van Kesteren <an= nevk@annevk.nl> wrote:
= On Mon, May 7, 2018 at 9:54 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Immutable meaning that the HSTS header is permanent and can never be > removed?=C2=A0 So if a user agent has seen an immutable HSTS header on= ce, that
> site has to be (valid) HTTPS-only forever?
>
> Interesting idea.

FWIW, if anything, it should be about standardizing
h= ttps://hstspreload.org/. That's already the widely adopted practice=
to mostly-immutable HSTS. (Not quite sure truly-immutable is feasible,
other than using a TLD that has HSTS as policy. And even then TLDs get
reassigned or disappear at times...)

There is a list that could be used to discuss that,= run by Chrome but with members from other browsers:

I also discussed some id= eas with Lucas Garron (then on the Chrome team) in late 2016 / early 2017 a= bout how to standardize a way for public suffixes to automatically request = preloading, which we sketched out here:
=C2= =A0
In the end we didn't do anything sophisticated or standar= d, and instead .gov just emails new domains in small, regular batches to Ch= rome and Firefox for preloading. But moving the preloading process towards = standardization seems like it would be positive for everyone.
-- Eric



--
https://annevankesteren.nl/

_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec



--
Eric Mill
Senior Ad= visor,=C2=A0Technology Transformation Serv= ices
Federal Acquisition = Service, GSA
<= span style=3D"font-size:12.8px">eric.mill@gsa.gov,=C2=A0+1-617-314-0966
<= /div>
--001a113ff848947a5c056bb5cf27-- From nobody Mon May 14 08:59:56 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF5B12E878 for ; Mon, 14 May 2018 08:59:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.601 X-Spam-Level: X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=tobias.gondrom@gondrom.org header.d=gondrom.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3tLJLnnZ63jo for ; Mon, 14 May 2018 08:59:53 -0700 (PDT) Received: from gondrom.org (www.gondrom.org [5.35.241.16]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD52912E874 for ; Mon, 14 May 2018 08:59:52 -0700 (PDT) Received: from seraph (x4dbe7024.dyn.telefonica.de [77.190.112.36]) by gondrom.org (Postfix) with ESMTPSA id 16BA6649A9; Mon, 14 May 2018 17:59:51 +0200 (CEST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=bpLeazwtub57rYWQQw3PYIkJrBzBPimwd6EerG9bX4jsgN35HWf8O+ht7siteJKIYiQ34Wv21rq2efUbCiecg4x14q3xezG++DKHTCRfnje+N1qBZNFB4WgrdknYCNx0le/SHxs3B5zlijfntYZjhbDCuc0Z5VB7OLR2OxkIx2Y=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:Importance:Content-Language:Thread-Index; From: "Tobias Gondrom" To: "'Anne van Kesteren'" , "'Yoav Nir'" Cc: "'Robert Linder'" , References: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> In-Reply-To: Date: Mon, 14 May 2018 17:59:47 +0200 Message-ID: <019e01d3eb9c$955927f0$c00b77d0$@gondrom.org> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 5 (Lowest) X-MSMail-Priority: Low X-Mailer: Microsoft Outlook 16.0 Importance: Low Content-Language: en-us Thread-Index: AQHsIF+VvDAWPRIEQoHKTVc3iukXtgLEtT3WAdYov9Oj2iCVQA== Archived-At: Subject: Re: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2018 15:59:55 -0000 I agree. Preload is probably the easiest way to go. And the use case of transfer of domain ownership can not be ignored. Not sure whether preload really needs further standardization, after all there are only a few browser implementations out there. However, if you think that is needed, feel free to drop me a message and we can write up a quick ID and publish it as individual ID. Best regards, Tobias -----Original Message----- From: websec On Behalf Of Anne van Kesteren Sent: Tuesday, May 8, 2018 9:48 AM To: Yoav Nir Cc: Robert Linder ; websec@ietf.org Subject: Re: [websec] Regarding RFC 6797 On Mon, May 7, 2018 at 9:54 PM, Yoav Nir wrote: > Immutable meaning that the HSTS header is permanent and can never be > removed? So if a user agent has seen an immutable HSTS header once, > that site has to be (valid) HTTPS-only forever? > > Interesting idea. FWIW, if anything, it should be about standardizing https://hstspreload.org/. That's already the widely adopted practice to mostly-immutable HSTS. (Not quite sure truly-immutable is feasible, other than using a TLD that has HSTS as policy. And even then TLDs get reassigned or disappear at times...) -- https://annevankesteren.nl/ _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec From nobody Mon May 14 09:32:14 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC13A12DB70 for ; Mon, 14 May 2018 09:32:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.02 X-Spam-Level: X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=annevk.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2F6hqjZBOOll for ; Mon, 14 May 2018 09:32:11 -0700 (PDT) Received: from homiemail-a1.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F1D312DA04 for ; Mon, 14 May 2018 09:32:11 -0700 (PDT) Received: from homiemail-a1.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a1.g.dreamhost.com (Postfix) with ESMTP id D0988348076 for ; Mon, 14 May 2018 09:32:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=annevk.nl; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc: content-type; s=annevk.nl; bh=6IAx7TqCpx0geqhV+qXHMwiFrzs=; b=sx YqcYW15izNMH5vtQ0NeP/GrbChJAsVyEUcO0TXgco6l5L+2vowPIC0f859LRnH8c MptyPRWtdx+4jCZkXLUlVrMIBJ53tMu7H4145t4Kp0x5laXCrOu07uF5HrSo/HeT ejVePbmT3dhW75JrXbSfOvhfwZpHGz7UcqIBRwl7Y= Received: from mail-wm0-f48.google.com (mail-wm0-f48.google.com [74.125.82.48]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: annevk@annevk.nl) by homiemail-a1.g.dreamhost.com (Postfix) with ESMTPSA id A85A8348074 for ; Mon, 14 May 2018 09:32:08 -0700 (PDT) Received: by mail-wm0-f48.google.com with SMTP id a8-v6so14608190wmg.5 for ; Mon, 14 May 2018 09:32:08 -0700 (PDT) X-Gm-Message-State: ALKqPwcxROz+sysJQPQXjTVMQL7SEJr1VfCNviTuC7EdvRKsi1qj4LNo YU3yNDWAiRchb598+ShIRwUj5TRKdbRIeAxu3Q== X-Google-Smtp-Source: AB8JxZqZn0Ig/0Kkpj7ZTcQedY4rkgRGUHbpAsp+O0WWQodRpJk1pKb5ni0adQtv03FzjBL4MbMFpYHQZLTRJhL8uEo= X-Received: by 2002:a50:ee15:: with SMTP id g21-v6mr13322210eds.269.1526315527130; Mon, 14 May 2018 09:32:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.138.2 with HTTP; Mon, 14 May 2018 09:32:06 -0700 (PDT) In-Reply-To: <019e01d3eb9c$955927f0$c00b77d0$@gondrom.org> References: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> <019e01d3eb9c$955927f0$c00b77d0$@gondrom.org> From: Anne van Kesteren Date: Mon, 14 May 2018 18:32:06 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Tobias Gondrom Cc: Yoav Nir , Robert Linder , websec Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2018 16:32:13 -0000 On Mon, May 14, 2018 at 5:59 PM, Tobias Gondrom wrote: > I agree. Preload is probably the easiest way to go. > And the use case of transfer of domain ownership can not be ignored. > > Not sure whether preload really needs further standardization, after all > there are only a few browser implementations out there. > However, if you think that is needed, feel free to drop me a message and we > can write up a quick ID and publish it as individual ID. I think it'd be good to formalize that the preload keyword is used, cannot be used for something else, and what it's used for. -- https://annevankesteren.nl/ From nobody Tue May 15 01:50:42 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4027112D77A for ; Tue, 15 May 2018 01:50:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=tobias.gondrom@gondrom.org header.d=gondrom.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IME08WyUJWyc for ; Tue, 15 May 2018 01:50:38 -0700 (PDT) Received: from gondrom.org (www.gondrom.org [5.35.241.16]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3928A120721 for ; Tue, 15 May 2018 01:50:37 -0700 (PDT) Received: from seraph (ip-109-41-195-5.web.vodafone.de [109.41.195.5]) by gondrom.org (Postfix) with ESMTPSA id 4B6636499C; Tue, 15 May 2018 10:50:35 +0200 (CEST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=yX1l5Hr5Gka9Zbtx4q++uk1rzijqaZEnXq1ZAXLu6Zf+bmf2r4h0VbWSGxILaHUyQtJagM4FvrZGiBqASRiRqJI+sFFMWF+3OEjiTx1v19e8UoPuyQSe0q4OZbXkVzavbK1K2Uw+I3qCX4NMfb5UojCAEklZJu+G2wMAXm4OxVc=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:Content-Language:Thread-Index; From: "Tobias Gondrom" To: "'Anne van Kesteren'" Cc: "'Yoav Nir'" , "'Robert Linder'" , "'websec'" References: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> <019e01d3eb9c$955927f0$c00b77d0$@gondrom.org> In-Reply-To: Date: Tue, 15 May 2018 10:50:31 +0200 Message-ID: <004301d3ec29$c8dc4750$5a94d5f0$@gondrom.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Content-Language: en-us Thread-Index: AQHsIF+VvDAWPRIEQoHKTVc3iukXtgLEtT3WAdYov9MBtCrIZAFNbIqPo8MuuEA= Archived-At: Subject: Re: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2018 08:50:40 -0000 -----Original Message----- From: Anne van Kesteren =20 Sent: Monday, May 14, 2018 6:32 PM To: Tobias Gondrom Cc: Yoav Nir ; Robert Linder = ; websec Subject: Re: [websec] Regarding RFC 6797 >On Mon, May 14, 2018 at 5:59 PM, Tobias Gondrom = wrote: >> I agree. Preload is probably the easiest way to go. >> And the use case of transfer of domain ownership can not be ignored. >> >> Not sure whether preload really needs further standardization, after=20 >> all there are only a few browser implementations out there. >> However, if you think that is needed, feel free to drop me a message=20 >> and we can write up a quick ID and publish it as individual ID. > I think it'd be good to formalize that the preload keyword is used, = cannot be used for something else, and what it's used for. Do you think we need for this an individual RFC or would there be any = simpler way we could achieve this?=20 Best regards, Tobias From nobody Tue May 15 02:00:47 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C29512D7E6 for ; Tue, 15 May 2018 02:00:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.019 X-Spam-Level: X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=annevk.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0hHmeWPGAbj for ; Tue, 15 May 2018 02:00:45 -0700 (PDT) Received: from homiemail-a5.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8F48120721 for ; Tue, 15 May 2018 02:00:44 -0700 (PDT) Received: from homiemail-a5.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a5.g.dreamhost.com (Postfix) with ESMTP id 605D070406F for ; Tue, 15 May 2018 02:00:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=annevk.nl; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc: content-type; s=annevk.nl; bh=qiMsr82jL57U5w/bMAipcCTSFAE=; b=ap 4QmiFq+YgO0PEn8ffk0tXlXQGQ6jgO5nfnDaJ1NCnOr7xFNFc6HAc0n9wRWzJ9LA FAHnvQHlY27mVN3284MkIRSfl2x2/0hP6mHTyd77vCHiqnMUtrDzWBpe7E9cOGt4 pziQ/IsM0OZbNPJuykhUTEYVBQi3jJtxm8fDQr9zg= Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: annevk@annevk.nl) by homiemail-a5.g.dreamhost.com (Postfix) with ESMTPSA id 3323270406E for ; Tue, 15 May 2018 02:00:43 -0700 (PDT) Received: by mail-wm0-f41.google.com with SMTP id j5-v6so20045784wme.5 for ; Tue, 15 May 2018 02:00:43 -0700 (PDT) X-Gm-Message-State: ALKqPwfq6gwPs3o9ZVMLDqKa/RpbWzJD+jG2Be97Z7pjUzxLxj7e5e6M 7pymAMBYrQ1//c7CvbimgxQEQUc5joOf3poOCQ== X-Google-Smtp-Source: AB8JxZofNATxFEtyOIl2Q/ZIBiVMZTFCuPsKladsnQZoLANSoevs1R5pnDqlmnMdnlExrPEkRL3KuCI4bV89MQiuyo8= X-Received: by 2002:a50:9164:: with SMTP id f33-v6mr16850641eda.29.1526374841659; Tue, 15 May 2018 02:00:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.138.2 with HTTP; Tue, 15 May 2018 02:00:41 -0700 (PDT) In-Reply-To: <004301d3ec29$c8dc4750$5a94d5f0$@gondrom.org> References: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> <019e01d3eb9c$955927f0$c00b77d0$@gondrom.org> <004301d3ec29$c8dc4750$5a94d5f0$@gondrom.org> From: Anne van Kesteren Date: Tue, 15 May 2018 11:00:41 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Tobias Gondrom Cc: Yoav Nir , Robert Linder , websec Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2018 09:00:46 -0000 On Tue, May 15, 2018 at 10:50 AM, Tobias Gondrom wrote: > Do you think we need for this an individual RFC or would there be any simpler way we could achieve this? You need an RFC that updates the existing RFC as there's no other extension path provided. -- https://annevankesteren.nl/ From nobody Tue May 22 22:49:07 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19A761241F5 for ; Tue, 22 May 2018 22:49:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eitanadler.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7zc76DxoJdm for ; Tue, 22 May 2018 22:49:03 -0700 (PDT) Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6968120454 for ; Tue, 22 May 2018 22:49:03 -0700 (PDT) Received: by mail-yw0-x22e.google.com with SMTP id u83-v6so6328784ywc.4 for ; Tue, 22 May 2018 22:49:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=b9MRhlf60/P7bY/yx6li68rmFDVgEXUOkljAgB9TjFU=; b=LFzscBtsH1v3jbKNgOm4Ha1+bk94yJnjC40DoX62bGh7OVypbQyDDlq6cNbDDfHdYm SSK5ZKYT3mODKaDe/Tjppm6aq3A0whC+2kA9QKWOuPFnfVk9sIIsdxvOp8biF0Iu8I7f csA8JikSKELLxzhLJuB3LiSo7RSuhUR/49pMs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=b9MRhlf60/P7bY/yx6li68rmFDVgEXUOkljAgB9TjFU=; b=puqKjInPdwoVVOU8VDkNe14Sh+PJ1Bq20jsLYBrOVa7ERBhVATmJibVjigLz+IvnT0 U3u3TqABCoKoHuWcYOMabrXg58NJpdvzkDbsWQjGS+xAkriCdZLUfbAMMfM9I7QTQcuv j1gFaT5fT4NHz3pfxLVV4cmE6KNbtEzMe03Up6uwJiLdB7V60A/HFOId51VokMpudAp1 tZpH7G4iGbJmRxO0saXUsah6ov9AFTko8sUcwxstZN+R7hgCzcMeaa1IqLoj8qmKZdG9 /lYjGR6tmQ5zXHMqpsM4P6PmIOpkuL5m1UbhjnQnylWmpxR1TcwF19IAeVKDS1poQU/Q P20w== X-Gm-Message-State: ALKqPwexvK/TE7Bu9XWiqjJ9AV2YjfAXGVomDWfJHVF3yvU7uQjbi0va jOUuLTQyMYHRGzEUSV8+epMI0K7sQ0j02M/QtvLyXw== X-Google-Smtp-Source: AB8JxZqmYsTFrqevEivSgUOYG9CoOaIzW8otOQIkeUrzSCkWCgUwAhK3DxSBkHVRAGLk1EE/i1UtPTLXgjH7DEZ9u9U= X-Received: by 2002:a81:a68a:: with SMTP id d132-v6mr688243ywh.387.1527054542588; Tue, 22 May 2018 22:49:02 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:c709:0:0:0:0:0 with HTTP; Tue, 22 May 2018 22:48:32 -0700 (PDT) In-Reply-To: <019e01d3eb9c$955927f0$c00b77d0$@gondrom.org> References: <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> <019e01d3eb9c$955927f0$c00b77d0$@gondrom.org> From: Eitan Adler Date: Tue, 22 May 2018 22:48:32 -0700 Message-ID: To: Tobias Gondrom Cc: Anne van Kesteren , Yoav Nir , Robert Linder , websec@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [websec] Regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2018 05:49:06 -0000 On 14 May 2018 at 08:59, Tobias Gondrom wrote: > I agree. Preload is probably the easiest way to go. > And the use case of transfer of domain ownership can not be ignored. > > Not sure whether preload really needs further standardization, after all > there are only a few browser implementations out there. > However, if you think that is needed, feel free to drop me a message and we > can write up a quick ID and publish it as individual ID. What ever happened to this? It can be valuable to standardize preloading. -- Eitan Adler From nobody Mon May 28 01:20:23 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 747C3127342 for ; Mon, 28 May 2018 01:20:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=igalia.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6Hi18-o-Td1 for ; Mon, 28 May 2018 01:20:20 -0700 (PDT) Received: from fanzine.igalia.com (fanzine.igalia.com [91.117.99.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37565127333 for ; Mon, 28 May 2018 01:20:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:Mime-Version:Content-Type:Date:To:From:Subject:Message-ID; bh=IFKRsZFCWzQbJA/Ay9OPQ899TQgMzO9M39W98CW6Hiw=; b=bgCqiT9hC+2LYM8gpYNBSJikN6hd3+2/ECCpNtqXg2BqTyorjujBlTBM3ukXMkHmEYb4wx1tKOWJQ0JmTl2t7o8mbjL1SdkwlG2FyxppUkBrEau6KlJXrYX3HMeHJpHmwBIovQhyO6xALlPJF/qJbch5MRxWcYY2QGMhPh+nEdn5zSgEWkuASMPs9Gfs87JRaV34l3VFHL/qxQtP73Wj55GVq99MCQDRDNxvUjEjk//gLGDQDyyIUQYQJhp1JjUU1opV45Uv20JxdhUZTcGg6V/nd9fSh90rV1rFzSxSSR8U1zhAVm4ok8Oo2f3tmrR6xAbmDMFvaJY0+FEGTFX6tQ==; Received: from 82-181-106-252.bb.dnainternet.fi ([82.181.106.252] helo=patanjali) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1fNDO2-00011A-Pp for ; Mon, 28 May 2018 10:20:15 +0200 Message-ID: From: Claudio Saavedra To: websec@ietf.org Date: Mon, 28 May 2018 11:20:02 +0300 Organization: Igalia Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.2-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Archived-At: Subject: [websec] Question regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2018 08:20:23 -0000 Hi, I am currently implementing HSTS support for libsoup and there is one point that I find confusing and I would appreciate your comments. Section 8.1 states: Update the UA's cached information for the Known HSTS Host if either or both of the max-age and includeSubDomains header field value tokens are conveying information different than that already maintained by the UA. The way I understand this is that if a HSTS host keeps sending the same values to a conforming client, this should not update the information cached and hence the cached information will expire after max-age seconds have passed since the _first_reception_ of this header. However, section 11.2 states: The "constant value into the future" approach can be accomplished by constantly sending the same max-age value to UAs. For example, a max-age value of 7776000 seconds is 90 days: Strict-Transport-Security: max-age=7776000 Note that each receipt of this header by a UA will require the UA to update its notion of when it must delete its knowledge of this Known HSTS Host. This seems to contradict what I quoted from section 8.1. If the server constantly sends a max-age of 7776000 and includeSubDomains is not changed (which is implicit in the example), then by 8.1 the cache information won't be updated. Would you mind clarifying this? Best regards, Claudio From nobody Mon May 28 04:21:09 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9530C12D7EC for ; Mon, 28 May 2018 04:21:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=annevk.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id amV839EnRTnt for ; Mon, 28 May 2018 04:21:06 -0700 (PDT) Received: from homiemail-a14.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1798712D7E5 for ; Mon, 28 May 2018 04:21:06 -0700 (PDT) Received: from homiemail-a14.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTP id 98B1139208B for ; Mon, 28 May 2018 04:21:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=annevk.nl; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc: content-type; s=annevk.nl; bh=GAFWAkdaFutAhZNLIt2UqLDDzYw=; b=pb 1X+46wdAEQSbvrmo9IXe+/8D0I+tNg/HDKlv0S2pLMqzHOIS2dkmPv7+N1YfnXUr o5jewLR2/arXMrJ/A9MM8fxZv+i6bxNqLHjDlinGNDiSODeqmbdk00BfB7t+fkqY mkKbHEwxZiUs30zV3WZWjpUFh5fHZIM+zf1dBtEcE= Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: annevk@annevk.nl) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTPSA id 69D41392078 for ; Mon, 28 May 2018 04:21:04 -0700 (PDT) Received: by mail-wm0-f44.google.com with SMTP id 18-v6so25655890wml.2 for ; Mon, 28 May 2018 04:21:04 -0700 (PDT) X-Gm-Message-State: ALKqPwceS1RzsDGN4o0wXutiv/eiSBNd1gAyNu1Apc4TG2DUFJtxAtA6 UZHi1MCe1DmRgqGmLXNlkfuvM6IqB+feeFSbdg== X-Google-Smtp-Source: AB8JxZq59ncm27/32KrC4NNwC3El8ZuMnK13rEbtnJSomBGmTjdVgVJWkKA65quKx9iclsYNu2M+voC3unVyk50wDX0= X-Received: by 2002:a50:a2e5:: with SMTP id 92-v6mr14478614edm.82.1527506463002; Mon, 28 May 2018 04:21:03 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a50:8a02:0:0:0:0:0 with HTTP; Mon, 28 May 2018 04:21:02 -0700 (PDT) In-Reply-To: References: From: Anne van Kesteren Date: Mon, 28 May 2018 13:21:02 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Claudio Saavedra Cc: websec Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [websec] Question regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2018 11:21:08 -0000 On Mon, May 28, 2018 at 10:20 AM, Claudio Saavedra wrote: > Section 8.1 states: > > Update the UA's cached information for the Known HSTS Host if either > or both of the max-age and includeSubDomains header field value > tokens are conveying information different than that already > maintained by the UA. > > The way I understand this is that if a HSTS host keeps sending the same > values to a conforming client, this should not update the information > cached and hence the cached information will expire after max-age > seconds have passed since the _first_reception_ of this header. I have a hard time reading it another way as well; if true, this would be a security bug. -- https://annevankesteren.nl/ From nobody Tue May 29 02:20:49 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1199D12E8B1 for ; Tue, 29 May 2018 02:20:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=igalia.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQaL17DyU15l for ; Tue, 29 May 2018 02:20:46 -0700 (PDT) Received: from fanzine.igalia.com (fanzine.igalia.com [91.117.99.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA9A212E8D9 for ; Tue, 29 May 2018 02:20:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID; bh=fcM54+DhX5wMajQoQ7jHYQr0Jw4x1f2GWLwnLpo92Ec=; b=R5yaF2ThUUy1Qd+7ZMWMkkPm9qkvueF94cfXwxHEXZRgZpdKW4y0WqH0EqUGZV3dfckzufCV/+LObciaKqFxwLnmZVhWrnT6Yc+nIzWZlkelJvsexnc51nUL2Oz4Veks/xiPYyMvFaNWSHQlZ4KqXcSlZU2xYAo/uVatWhN3qhXQcjGv+hibjRgBni6wgj49Q/DT6cp8BWiBysGH4bPDY0R/ZratTrZtLBTgpUOL3TpYPmYw2UcFk4CrgYkeFh1iF4Crv0kHCamuC3KB1rDWbK7NkS77z3ivqARo4fHlLNAygqsvmHunoGSEa+7OB+9x3nno7q2vx6uXD0W8FQNITg==; Received: from [194.100.51.2] (helo=patanjali) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1fNao5-0000WX-4V; Tue, 29 May 2018 11:20:41 +0200 Message-ID: <66ba316c85cea6690ad7bc10445783e53b8e8872.camel@igalia.com> From: Claudio Saavedra To: Anne van Kesteren Cc: websec Date: Tue, 29 May 2018 12:20:28 +0300 In-Reply-To: References: Organization: Igalia Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.2-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [websec] Question regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 09:20:48 -0000 On Mon, 2018-05-28 at 13:21 +0200, Anne van Kesteren wrote: > On Mon, May 28, 2018 at 10:20 AM, Claudio Saavedra com> wrote: > > Section 8.1 states: > > > > Update the UA's cached information for the Known HSTS Host if > > either > > or both of the max-age and includeSubDomains header field value > > tokens are conveying information different than that already > > maintained by the UA. > > > > The way I understand this is that if a HSTS host keeps sending the > > same > > values to a conforming client, this should not update the > > information > > cached and hence the cached information will expire after max-age > > seconds have passed since the _first_reception_ of this header. > > I have a hard time reading it another way as well; if true, this > would be a security bug. So if this is a security bug, I'm understanding that the desired behavior would be the one described in 11.2. What can be done in the specification to deal with this? Can it be reworded/updated? How can we implementors know which of the behaviors described in 8.1 or 11.2 is to be honored? Best regards, Claudio From nobody Tue May 29 02:30:29 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2F4912E8EF for ; Tue, 29 May 2018 02:30:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.019 X-Spam-Level: X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=annevk.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WORxnwDYUps4 for ; Tue, 29 May 2018 02:30:25 -0700 (PDT) Received: from homiemail-a37.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF8EE12EA42 for ; Tue, 29 May 2018 02:30:25 -0700 (PDT) Received: from homiemail-a37.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a37.g.dreamhost.com (Postfix) with ESMTP id 1666C20806C for ; Tue, 29 May 2018 02:30:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=annevk.nl; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc: content-type; s=annevk.nl; bh=nHtxeotgxyPd94XcJpIXww8LwvM=; b=sn Qg+5jdzs20ifiGq5EXKv4w2c4fJe7Vi/afqzQmnGKXUooXRg41RlVgkr2vxbpHSO crz/Ipz6V1VBe1viqLVsMe4ey0ZoVAqJtibq2hFFFDh1SZNCTE0wHWk0h1WV9QhV aqD8/HmRelDbkZ9CoJ7YErSaS37bJgWp1LJORki/A= Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: annevk@annevk.nl) by homiemail-a37.g.dreamhost.com (Postfix) with ESMTPSA id DB77820806B for ; Tue, 29 May 2018 02:30:24 -0700 (PDT) Received: by mail-wm0-f41.google.com with SMTP id l1-v6so38687216wmb.2 for ; Tue, 29 May 2018 02:30:24 -0700 (PDT) X-Gm-Message-State: ALKqPweoYze3f6k3UoonpF7QjQvKUuifcimqT0ZKlqI12viMjo7Vs/Jh ogWD2mtSBU5GnfWpCg141G+sG2VCwuBGHx2yhQ== X-Google-Smtp-Source: AB8JxZqD4/jOhVI5AO/GeW9VFlgsCCcUUFFkKQ25gzOMw+6Lxc+aLxDc+Rzb7gIoR08RhPkL9znNQcM3u40IBipy3e4= X-Received: by 2002:a50:f190:: with SMTP id x16-v6mr13896204edl.59.1527586223182; Tue, 29 May 2018 02:30:23 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a50:8a02:0:0:0:0:0 with HTTP; Tue, 29 May 2018 02:30:21 -0700 (PDT) In-Reply-To: <66ba316c85cea6690ad7bc10445783e53b8e8872.camel@igalia.com> References: <66ba316c85cea6690ad7bc10445783e53b8e8872.camel@igalia.com> From: Anne van Kesteren Date: Tue, 29 May 2018 11:30:21 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Claudio Saavedra Cc: websec Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [websec] Question regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 09:30:28 -0000 On Tue, May 29, 2018 at 11:20 AM, Claudio Saavedra wrote: > So if this is a security bug, I'm understanding that the desired > behavior would be the one described in 11.2. What can be done in the > specification to deal with this? Can it be reworded/updated? How can we > implementors know which of the behaviors described in 8.1 or 11.2 is to > be honored? I'm not sure. Raising errata would be good, but it's always a little bit unclear to me whether it's going to be accepted, but at least there's a way to find the issue then (other than browsing the mailing list), even if not accepted. After that it's probably updating the document, which is rather involved. -- https://annevankesteren.nl/ From nobody Tue May 29 02:33:54 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFAD11275AB for ; Tue, 29 May 2018 02:33:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=igalia.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYSZBiqMvT0V for ; Tue, 29 May 2018 02:33:51 -0700 (PDT) Received: from fanzine.igalia.com (fanzine.igalia.com [91.117.99.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45CBA129C53 for ; Tue, 29 May 2018 02:33:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID; bh=WwOS+wZ/vFIh7JJD0vxwBe/bMyW3M1Ufvad+yUMV0YA=; b=abYu/3hv8PtYoJe70EKQoTqRHdkJjXIg+OGwQXh+JbTbEQsyPdj4ZeagGM1p3GHnncX9BMn4AKe3wMVqn26r8t8KIBLdBvV4m3qY5rwPXnovNK3KsBFv70Y41TwZAKW41IvSjMMAbGQLzkFbfIrxSEMPt8YniqwQ+qWJq3o4ndtnNTcetUXj4Zzk2cGA5rbXuVCHgec1o5TEqOA12wmITaVaWcGyABpUdywwdaHFdtly4WJdVhBisxqEapMRk4GQwqn+Y080OBkLF3mWPMuXR767kiVGrDKY6B7SvTWVdlzeIYLPt4/wIFCa3TzSMfOKtfJh7XO1/m5iOm4rNN5wjQ==; Received: from [194.100.51.2] (helo=patanjali) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1fNb0n-0001su-0H; Tue, 29 May 2018 11:33:49 +0200 Message-ID: From: Claudio Saavedra To: Anne van Kesteren Cc: websec Date: Tue, 29 May 2018 12:33:36 +0300 In-Reply-To: References: <66ba316c85cea6690ad7bc10445783e53b8e8872.camel@igalia.com> Organization: Igalia Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.2-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [websec] Question regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 09:33:53 -0000 On Tue, 2018-05-29 at 11:30 +0200, Anne van Kesteren wrote: > On Tue, May 29, 2018 at 11:20 AM, Claudio Saavedra com> wrote: > > So if this is a security bug, I'm understanding that the desired > > behavior would be the one described in 11.2. What can be done in > > the > > specification to deal with this? Can it be reworded/updated? How > > can we > > implementors know which of the behaviors described in 8.1 or 11.2 > > is to > > be honored? > > I'm not sure. Raising errata would be good, but it's always a little > bit unclear to me whether it's going to be accepted, but at least > there's a way to find the issue then (other than browsing the mailing > list), even if not accepted. After that it's probably updating the > document, which is rather involved. Thanks, I'll raise an errata then and follow 11.2 in the implementation for now. Claudio From nobody Tue May 29 02:51:41 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA58312EAB8 for ; Tue, 29 May 2018 02:51:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=igalia.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QS798iFCelHb for ; Tue, 29 May 2018 02:51:27 -0700 (PDT) Received: from fanzine.igalia.com (fanzine.igalia.com [91.117.99.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23F4C12EA53 for ; Tue, 29 May 2018 02:51:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID; bh=E+0mh+Dbb0aT1fPXcFYBh/JEBQHugWTpKRsXrf2O1lw=; b=sl3yYlTc0REEIExsmUsW1NeysDQw4EBmPcsou0jrdZWJCgpPYhWMizCTtlZHM6Om0+QoNn8ykHtLPCz+8XowT9SgbkOsEfsSzipD6dwi0ZeI1hbifZmgxdpotGgGPArpdpyQvVNsoCBnINAdUDFv7FjEXPghcE8OsqFOswZQ/r6bPgkuTYvsClt8L+gtc6MslnFn1F1+hHSxGQ1OUlRYIS5jPwIOiavYj4WVE9qxhpdjXnThvXPazzwwXNiTcuz3JaxVBZSxtzjm0+5Vy5eYo9sAiQp2VtPXPjspTNSWE7jWUCZIeuPQalPejWppvtsdmOvf3pzdGFO3qovqzj/9Og==; Received: from [194.100.51.2] (helo=patanjali) by fanzine.igalia.com with esmtpsa (Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim) id 1fNbHm-0003dV-GZ; Tue, 29 May 2018 11:51:22 +0200 Message-ID: <4dc163dcb044bdcc1ff48cb39899c6ce88e3918f.camel@igalia.com> From: Claudio Saavedra To: Anne van Kesteren Cc: websec Date: Tue, 29 May 2018 12:51:04 +0300 In-Reply-To: References: <66ba316c85cea6690ad7bc10445783e53b8e8872.camel@igalia.com> Organization: Igalia Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.2-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [websec] Question regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 09:51:40 -0000 On Tue, 2018-05-29 at 12:33 +0300, Claudio Saavedra wrote: > On Tue, 2018-05-29 at 11:30 +0200, Anne van Kesteren wrote: > > On Tue, May 29, 2018 at 11:20 AM, Claudio Saavedra > a. > > com> wrote: > > > So if this is a security bug, I'm understanding that the desired > > > behavior would be the one described in 11.2. What can be done in > > > the > > > specification to deal with this? Can it be reworded/updated? How > > > can we > > > implementors know which of the behaviors described in 8.1 or 11.2 > > > is to > > > be honored? > > > > I'm not sure. Raising errata would be good, but it's always a > > little > > bit unclear to me whether it's going to be accepted, but at least > > there's a way to find the issue then (other than browsing the > > mailing > > list), even if not accepted. After that it's probably updating the > > document, which is rather involved. > > Thanks, I'll raise an errata then and follow 11.2 in the > implementation for now. Errata for this in https://www.rfc-editor.org/errata/eid5372 Claudio From nobody Tue May 29 03:04:07 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 607111270A3 for ; Tue, 29 May 2018 03:04:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.019 X-Spam-Level: X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=annevk.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeWwzlMgotqC for ; Tue, 29 May 2018 03:04:04 -0700 (PDT) Received: from homiemail-a1.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDF6612DA05 for ; Tue, 29 May 2018 03:04:01 -0700 (PDT) Received: from homiemail-a1.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a1.g.dreamhost.com (Postfix) with ESMTP id 0B8A334806C for ; Tue, 29 May 2018 03:04:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=annevk.nl; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc: content-type; s=annevk.nl; bh=WqyLNizwekYV+0Q6eavpxpLb/Ac=; b=mc lx33ViqQxWwyHqmEModb8t4JRJoOhhQODGNGrPr+3tXKrNkjgTS3WgBS9xrzg3kd kvJABIeIUnNF9fNe0wHNZo/MWQXR1uM2sAvYo9p1GM+CG32nJ1auHjbPJJqDL9ic QJJm83iI0/bO319jhfLzt/FnXCmnmK8EYHf5WmVX8= Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: annevk@annevk.nl) by homiemail-a1.g.dreamhost.com (Postfix) with ESMTPSA id DAB7A34806A for ; Tue, 29 May 2018 03:04:00 -0700 (PDT) Received: by mail-wm0-f45.google.com with SMTP id o78-v6so38999866wmg.0 for ; Tue, 29 May 2018 03:04:00 -0700 (PDT) X-Gm-Message-State: ALKqPwdyiHXYvp6CnB7ZgIRtW2HTJbmDbLON6WP0ZeBzM1Rm9uIqCVKX zeETswluvgvNRi1cjJxYpXMqzLVuzL2Mr6bLDg== X-Google-Smtp-Source: AB8JxZqV+EyB4qk4WruqzPdEru3f9Y4XVwsZSQqvmSqJ5YPcXqpuEcMSRr77egiliLQbthcWV3PyJcVlGs2+/UHRfpk= X-Received: by 2002:a50:9176:: with SMTP id f51-v6mr18602200eda.29.1527588239505; Tue, 29 May 2018 03:03:59 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a50:8a02:0:0:0:0:0 with HTTP; Tue, 29 May 2018 03:03:59 -0700 (PDT) In-Reply-To: <4dc163dcb044bdcc1ff48cb39899c6ce88e3918f.camel@igalia.com> References: <66ba316c85cea6690ad7bc10445783e53b8e8872.camel@igalia.com> <4dc163dcb044bdcc1ff48cb39899c6ce88e3918f.camel@igalia.com> From: Anne van Kesteren Date: Tue, 29 May 2018 12:03:59 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Claudio Saavedra Cc: websec Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [websec] Question regarding RFC 6797 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 10:04:07 -0000 On Tue, May 29, 2018 at 11:51 AM, Claudio Saavedra wrote: > Errata for this in https://www.rfc-editor.org/errata/eid5372 Thank you! -- https://annevankesteren.nl/ From nobody Tue May 29 04:35:16 2018 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 508F712DA11 for ; Tue, 29 May 2018 02:48:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPAx-HuLxQ8S for ; Tue, 29 May 2018 02:48:30 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E09312D77B for ; Tue, 29 May 2018 02:48:30 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 17F09B82393; Tue, 29 May 2018 02:48:11 -0700 (PDT) To: Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu, ietf@adambarth.com, ben@nostrum.com, aamelnikov@fastmail.fm, adam@nostrum.com, tobias.gondrom@gondrom.org, ynir.ietf@gmail.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Cc: csaavedra@igalia.com, websec@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20180529094811.17F09B82393@rfc-editor.org> Date: Tue, 29 May 2018 02:48:11 -0700 (PDT) Archived-At: X-Mailman-Approved-At: Tue, 29 May 2018 04:35:16 -0700 Subject: [websec] [Technical Errata Reported] RFC6797 (5372) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 09:48:33 -0000 The following errata report has been submitted for RFC6797, "HTTP Strict Transport Security (HSTS)". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5372 -------------------------------------- Type: Technical Reported by: Claudio Saavedra Section: 8.1 Original Text ------------- o Update the UA's cached information for the Known HSTS Host if either or both of the max-age and includeSubDomains header field value tokens are conveying information different than that already maintained by the UA. Corrected Text -------------- o Update the UA's cached information for the Known HSTS Host. Notes ----- Section 8.1 states: Update the UA's cached information for the Known HSTS Host if either or both of the max-age and includeSubDomains header field value tokens are conveying information different than that already maintained by the UA. The way I understand this is that if a HSTS host keeps sending the same values to a conforming client, this should not update the information cached and hence the cached information will expire after max-age seconds have passed since the _first_reception_ of this header. However, section 11.2 states: The "constant value into the future" approach can be accomplished by constantly sending the same max-age value to UAs. For example, a max-age value of 7776000 seconds is 90 days: Strict-Transport-Security: max-age=7776000 Note that each receipt of this header by a UA will require the UA to update its notion of when it must delete its knowledge of this Known HSTS Host. This seems to contradict what I quoted from section 8.1. If the server constantly sends a max-age of 7776000 and includeSubDomains is not changed (which is implicit in the example), then by 8.1 the cache information won't be updated. I believe that the desired implementation behavior is as described in 11.2, that is, UA must update the cached information, regardless of whether either of the max-age or includeSubDomains header field values are different from what is already maintained by the UA. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6797 (draft-ietf-websec-strict-transport-sec-14) -------------------------------------- Title : HTTP Strict Transport Security (HSTS) Publication Date : November 2012 Author(s) : J. Hodges, C. Jackson, A. Barth Category : PROPOSED STANDARD Source : Web Security Area : Applications Stream : IETF Verifying Party : IESG