[HASMAT] wrt devising a more coherent policy mechanism
=JeffH <Jeff.Hodges@KingsMountain.com> Sun, 18 July 2010 23:04 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A91EB3A6998 for <hasmat@core3.amsl.com>; Sun, 18 Jul 2010 16:04:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.555
X-Spam-Level:
X-Spam-Status: No, score=-1.555 tagged_above=-999 required=5 tests=[AWL=0.710, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cI7QUMKqP0gt for <hasmat@core3.amsl.com>; Sun, 18 Jul 2010 16:04:56 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 89F8F3A68B3 for <hasmat@ietf.org>; Sun, 18 Jul 2010 16:04:56 -0700 (PDT)
Received: (qmail 13811 invoked by uid 0); 18 Jul 2010 23:05:10 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 18 Jul 2010 23:05:10 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=WXJ+XWkvagdu/8VZwMS+fKuSAhnRp08WvwwQxXdoeQkteK6t6D4Jgo7/SxX5xLCEM1BCTPcUDOm3jDuI3lXIAJuwNyZFJwAKh4plh9vIg4JDZ58ChLr3iveEzVPBOwjz;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1Oacv0-0000js-9C for hasmat@ietf.org; Sun, 18 Jul 2010 17:05:10 -0600
Message-ID: <4C4388A4.1030301@KingsMountain.com>
Date: Sun, 18 Jul 2010 16:05:08 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF HASMAT list <hasmat@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Subject: [HASMAT] wrt devising a more coherent policy mechanism
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2010 23:04:57 -0000
AndyS said.. > > Lots of things are currently out there scattered all over: > > X-Frame-Options CSP STS No-Sniff And even headers to turn off XSS > sanitization features in browsers for a given site. > > What we're hoping to do through some of the HASMAT work is condense a lot of > that into a more coherent policy mechanism, and add a few things (and I'm > just brainstorming here). Ideally these policies could be controlled in one > place and wouldn't have to get set for every response by a site, they could > be centrally controlled and authoritative. Eventually, yes. Note that the proposed HASMAT charter.. Re: [HASMAT] HASMAT Charter Proposal http://www.ietf.org/mail-archive/web/hasmat/current/msg00006.html ..doesn't go into the "more coherent policy mechanism" work, although it does propose concocting a "problem statement and requirements" document that can be used to guide further work, i.e. addressing the former "more coherent policy mechanism" work after re-chartering the WG. In other words, let's put our heads down and get these present specs finished, and do some requirements gathering before addressing such a big open-ended question. thanks, =JeffH