Re: [DNSOP] Declaring HTTPS mandatory in the DNS
Kevin Darcy <kcd@chrysler.com> Mon, 19 November 2012 12:33 UTC
Return-Path: <kcd@chrysler.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A9B821F8616 for <dnsop@ietfa.amsl.com>; Mon, 19 Nov 2012 04:33:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sst1YKp0Avwu for <dnsop@ietfa.amsl.com>; Mon, 19 Nov 2012 04:33:14 -0800 (PST)
Received: from odbmap02.extra.chrysler.com (odbmap02.out.extra.chrysler.com [129.9.40.27]) by ietfa.amsl.com (Postfix) with ESMTP id 6B55121F8576 for <dnsop@ietf.org>; Mon, 19 Nov 2012 04:33:03 -0800 (PST)
Received: from odbmap04.oddc.chrysler.com (Unknown_Domain [53.28.32.58]) by odbmap02.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id 1C.28.02812.8F62AA05; Mon, 19 Nov 2012 07:32:56 -0500 (EST)
X-AuditID: 8109281a-b7f646d000000afc-79-50aa26f884cf
Received: from odmsp089-ipmp.oddc.chrysler.com (odmsp089-ipmp.oddc.chrysler.com [53.231.96.248]) by odbmap04.oddc.chrysler.com (Symantec Messaging Gateway) with SMTP id 55.71.02648.7F62AA05; Mon, 19 Nov 2012 07:32:55 -0500 (EST)
Received: from [10.136.151.144] (CITMNCNU1410TPT.cg.chrysler.com [10.136.151.144]) by odmsp089-ipmp.oddc.chrysler.com (8.13.8+Sun/8.13.8/chrysler-relay-1.4-kcd) with ESMTP id qAJCWt2t023942 for <dnsop@ietf.org>; Mon, 19 Nov 2012 07:32:55 -0500 (EST)
Message-ID: <50AA26F7.3030105@chrysler.com>
Date: Mon, 19 Nov 2012 07:32:55 -0500
From: Kevin Darcy <kcd@chrysler.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20121119101834.GA23238@nic.fr>
In-Reply-To: <20121119101834.GA23238@nic.fr>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA11Ta0gUURjtzow6mjfHUdfruKauFpJl9qIn9iDE+uNIZGCFjTq5i7vrNrOb WkhbUIR/ihQySzAwNu2h2UMxyloDH0FmQVHho9KiqCjDHlTU3N0dne3fN+d835zvnI9Lk2wH zdEmq12UrILZEBhCLdMnrFrwY24zn/56mFgx9OExtQ5kNTb+JHiQF7KmSDSb9orSwoxdIca+ rmbCNhJWXnN3MsAJHoVWgWAaMUtR7bsHpLfWoYfDLYFVIIRmmQGATr8cJ9Wmqy3HSS/xBqDf baMB3o8/AF1oGgW4CzKpaGzyJoVripmDPr3oCMR1IJOMOp+7gnAdxeQh95W7Qd7+cNR3aszT H8mwaPLZvQBcRzArUde578osrQikoq7xTAwHM/PRscbTFIZJZjX6dlPCMMnEo/aPZzy7IaY6 CE2ODVDHAVunUaibHqnTjDQAshnElhYVWARb+uI0sdwuCWmFRqlCNotSWmGppQ0o+R4MTuE6 wHg9dIMSmjBEwcHEZp6dVVBaVGEUZGO+5DCLsiESupIUGE7BBQ5ziYGDQcph2Igp1CqWKT+3 K9czzIYxZ8/zbPQUJztkm6nQVOqQ8x2S2Q1iacoQDYmGHTzLFAt2sUQUbaLk1XODMpo2IDg0 R/l9uCQWi+W7TWa7SitzhxIUhtEyno3iYOfPJp7VaQnNUokweUKhOS39/14EHewGxXSo4pnC 7qBsEyyyqdgnHQG/4qVCVdQjGwO/YZBVQY1kHMzDOehUyl+uH1Rw0fAzHmZwh9FhnXLJ6WDv NhfPhmkIrMbp4SDGozT4tCCXAO9jNkbD+muqr+o9KKSB4of3+FHe3LRJFr7E4Ewf6PGI4CvP NXyYxqIeWnPwPj7GX+29kiWhZPmEd+Es7YJdmyXA5whVUTXLL004Sx/ol+VfTOlUyl+JcwJp fOJ2WOrsi7nr2+W0VDp/S9Id/aKJA3sqt2fdaVne+vbUpYGwnMoDR7Jn7Oxa3eTqqVwx2Bqf dLR8c1TRkaqe7l+3nNf1ZbnVBPHVeSLjV7bFmdl/9K91bWY9Wds+kjDU0r0p9kbttSVcyomn 6eatNWhko+UwDI/fsL9nubt33+WTBko2CovmkZIs/AP3UYBoywQAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrAIsWRmVeSWpSXmKPExsVi+jzhh+53tVUBBldvmVrcfXOZxYHRY8mS n0wBjFFcNimpOZllqUX6dglcGSf3r2IquM9fMeXgV9YGxks8XYycHBICJhKb109ghrDFJC7c W8/WxcjFISTwjFHiz6YHrBDOX0aJ1SsfMIJU8QpoSzz5upsFxGYRUJV4d3sHG4jNJqAisevW cnYQW1QgSuLQxoPsEPWCEidnPgGrFxEQkvh68wgriC0sYCmxf+l3oF4OoAXaEvufuoGEOQV0 JPqXzGYBCTMLWEt8210EEmYWkJfY/nYO8wRG/llIhs5CqJqFpGoBI/MqRqn8lKTcxAIDE738 lJRkveSMosrinNQiveT83E2MoICTUbDcwTj3hvwhRgEORiUe3skKqwKEWBPLiitzDzFKcjAp ifJeVAQK8SXlp1RmJBZnxBeV5qQWH2KU4GBWEuF9pQSU401JrKxKLcqHSUlzsCiJ8wpZLA0Q EkhPLEnNTk0tSC2CycpwcChJ8AoAI0tIsCg1PbUiLTOnBCHNxMEJMpwHaDgLSA1vcUFibnFm OkT+FKOilDjvB1WghABIIqM0D64XlhBeMYoDvSIM0c4DTCZw3a+ABjMBDb4WsBxkcEkiQkqq gXFCz9K4EOeZJxYuXeQurv886rvNRpl/Vx2bsqdMXTDZqjWn5UxieGfG99y1hvN+aT18nCyk 1HqDIaB/+/MCPp+HV91b/nSU1N2zfi6aHS2RovVmos2VymnBjytNmE8/vHhw14PZL58Wrey8 +adyUQvLA0PDOcczYhNub67f1Lbg6czTwTvC+78rsRRnJBpqMRcVJwIAux9SxuMCAAA=
Subject: Re: [DNSOP] Declaring HTTPS mandatory in the DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2012 12:33:21 -0000
On 11/19/2012 5:18 AM, Stephane Bortzmeyer wrote: > I vaguely remember that there was an Internet-Draft about declaring, > in the DNS, that a HTTP server MUST be accessed only by HTTPS. But I > cannot find it, either with the Datatracker or with Google. Any > pointer? The closest you're likely to find that is in http://tools.ietf.org/id/draft-jennings-http-srv-05.txt draft (expired), where an HTTPS SRV record might be published for a given site, but no equivalent HTTP SRV record. That would implicitly be a "declaration" that only HTTPS was supported for the site. Honestly though, I foresee that even if SRV record lookup is adopted by the browser community, for many years after that, browsers will continue to fall back to non-SRV-based connection methods. So the absence of an HTTP SRV record is not likely to prevent many HTTP connection attempts in the short to medium term. > (I know about draft-ietf-websec-strict-transport-sec, which is a HTTP > solution, I'm looking for a DNS one.) > > Despite what the Wikipedia page says, that ID doesn't really define a "declaration" that HTTPS is preferred over HTTP as the transport to be used for accessing a given web host. The use of HTTPS is *assumed*, throughout the ID, in order for the mechanisms defined therein to occur, e.g. the use of the special "Strict-Transport-Security" HTTP header. The only major reference to non-secure HTTP is a generic recommendation ("SHOULD") to perform a 301 redirect from HTTP to HTTPS (which hardly needs an ID callout, since it's _de_facto_ standard anyway). The ID does make reference to a possible "HSTS Pre-Loaded List", i.e. a list of sites that a browser would know _a_priori_ to implement HSTS, but there is no automated mechanism defined to publish/distribute that list, other than a vague suggestion (Section 12.3) that site owners and browser implementors get together to bake the list into the software "at the factory". - Kevin
- [DNSOP] Declaring HTTPS mandatory in the DNS Stephane Bortzmeyer
- Re: [DNSOP] Declaring HTTPS mandatory in the DNS Kevin Darcy
- Re: [DNSOP] Declaring HTTPS mandatory in the DNS Scott Schmit
- Re: [DNSOP] Declaring HTTPS mandatory in the DNS Stephane Bortzmeyer
- Re: [DNSOP] Declaring HTTPS mandatory in the DNS Kevin Darcy
- Re: [DNSOP] Declaring HTTPS mandatory in the DNS Paul Hoffman
- Re: [DNSOP] Declaring HTTPS mandatory in the DNS Paul Wouters
- Re: [DNSOP] Declaring HTTPS mandatory in the DNS Tony Finch
- Re: [DNSOP] Declaring HTTPS mandatory in the DNS dgq2011