Re: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt
Alexey Melnikov <alexey.melnikov@isode.com> Fri, 04 May 2012 11:10 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41BCF21F871C for <websec@ietfa.amsl.com>; Fri, 4 May 2012 04:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.506
X-Spam-Level:
X-Spam-Status: No, score=-102.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvEJSDkoWRrH for <websec@ietfa.amsl.com>; Fri, 4 May 2012 04:10:25 -0700 (PDT)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 07B3021F871A for <websec@ietf.org>; Fri, 4 May 2012 04:10:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1336129823; d=isode.com; s=selector; i=@isode.com; bh=9TywROaqWhXvsH9Auqi6LopWygUMGnxi182COa5wGgQ=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=nOa1eGParXaNHGb/U1sXwGUhBlB/f0WZNx982fMW7Nf5RQKiST3N2oWfdIv3/3Z6h0cGF7 UJxbbVS5bn9c0YJ0Ijzum5wU8FnZu6X7QT0RvOSLFXTwg9GkhMVLQKyWYIQGgNeIVjCpwN rTI5Jxyk8Guov+UzNaAn39+LaabaWPQ=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T6O5HgB=g2t5@rufus.isode.com>; Fri, 4 May 2012 12:10:23 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4FA3B940.2090204@isode.com>
Date: Fri, 04 May 2012 12:10:56 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4FA18EF1.9040206@KingsMountain.com>
In-Reply-To: <4FA18EF1.9040206@KingsMountain.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 11:10:26 -0000
On 02/05/2012 20:45, =JeffH wrote: > [ resent with correct Subject: ] > > Hi Alexey, thanks for the review, apologies for latency. Hi Jeff, > > The two directives defined in this specification are described > below. > > The overall requirements for directives are: > > > > o The order of appearance of directives is not significant. > > > > o All directives MUST appear only once in an STS header field. > > > > o Directive names are case-insensitive. > > > > o UAs MUST ignore any STS header fields containing directives that > > do not conform to their ABNF definition. > > > > Should this list also say something about how unrecognized directives > > should be treated? I.e. are they ignored by default, is the whole > > STS header field ignored, etc. > > Does the last bullet item above not address those questions? No. The last bullet is talking about recognized, but invalid data. I am asking about unrecognized data. > > Additional directives extending the semantic functionality of > the STS > > header field may be defined in other specifications (which "update" > > this specification), > > > > Is this a requirement on future extensions? > > (In general "updating" this specification using Updates: in the header > > of the relevant RFC > > is a) a heavy weight mechanism (it prevents Experimental extensions) > and > > b) this seems > > like a wrong mechanism anyway, as Updates usually means that the > > document being > > updated can't be implemented without the document which updates it.) > > We can place in the above para whatever we/you/ourADs wish. > Suggestions welcome. It is not about the location of this sentence. I think you need to strike "(which "update" this specification)". > > subdomain of a publicly-available web application which may be > > secured by TLS/SSL. For example, <https://example-ca.com/> is a > > publicly-available web application for "Example CA", a > certification > > authority. Customers use this web application to register their > > public keys and obtain certificates. Example CA generates > > certificates for customers containing > > <http://crl-and-ocsp.example-ca.com/> as the value for the "CRL > > Distribution Points" and "Authority Information Access:OCSP" > > certificate fields. > > > > 13. Internationalized Domain Names for Applications (IDNA): Dependency > > and Migration > > > > IDNA2008 obsoletes IDNA2003, but there are differences between the > > two specifications, and thus there can be differences in processing > > (e.g., converting) domain name labels that have been registered > under > > one from those registered under the other. There will be a > > transition period of some time during which IDNA2003-based domain > > name labels will exist in the wild. User agents SHOULD implement > > IDNA2008 [RFC5890] and MAY implement [RFC5895] (see also Section > 7 of > > [RFC5894]) or [UTS46] in order to facilitate their IDNA transition. > > > > I might be kicking a dead horse here, but MAY sounds a bit weak. > > I especially dislike having the choice between 2 incompatible specs, > > I think this might cause some interop problems. > > As far as I can tell, having had fairly extensive discussions with > IDNA folk both privately and on various lists such as idna-update@, > the above relects the the unfortunate state of the world at this time. > For instance, Pete Resnick signed off on the language in the spec in > this message to websec@... Commented on this in reply to Peter. > Re: [websec] wrt IDN processing-related security considerations for > draft-ietf-websec-strict-transport-sec > https://www.ietf.org/mail-archive/web/websec/current/msg01015.html > > we should probably fork off any further discussion on this topic to > that thread. > > > > Also, does "in order to facilitate their IDNA transition" apply > > to the second reference or to both references? > > It applies to both. One may implement [RFC5895] /or/ [UTS46] to > facilitate one's IDNA transition (as I understand it). Can you please move "in order to facilitate their IDNA transition" to the beginning of the sentence? I think this will make it clearer. > > again, followups on this item and the above should probably be in the > "Re: [websec] wrt IDN processing-related security considerations for > draft-ietf-websec-strict-transport-sec" thread here on websec@. >
- [websec] Review of draft-ietf-websec-strict-trans… Alexey Melnikov
- [websec] Showing errors in HSTS Paul Hoffman
- Re: [websec] Showing errors in HSTS Tobias Gondrom
- Re: [websec] Showing errors in HSTS Alexey Melnikov
- Re: [websec] Review of draft-ietf-websec-strict-t… =JeffH
- Re: [websec] Review of draft-ietf-websec-strict-t… Peter Saint-Andre
- Re: [websec] Review of draft-ietf-websec-strict-t… Alexey Melnikov
- Re: [websec] Review of draft-ietf-websec-strict-t… Alexey Melnikov
- Re: [websec] Review of draft-ietf-websec-strict-t… Peter Saint-Andre
- Re: [websec] Review of draft-ietf-websec-strict-t… =JeffH