[saag] WebSec summary IETF 83
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 28 March 2012 07:30 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51F3821F8611 for <saag@ietfa.amsl.com>; Wed, 28 Mar 2012 00:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.574
X-Spam-Level:
X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxdPiU0VpXEH for <saag@ietfa.amsl.com>; Wed, 28 Mar 2012 00:30:35 -0700 (PDT)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF7D21F860D for <saag@ietf.org>; Wed, 28 Mar 2012 00:30:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332919833; d=isode.com; s=selector; i=@isode.com; bh=RCARKqoQ+e5wG/OUxrrut1FvpsRz2NmdZtbgRsqiasI=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=pCPWa21N43Hh5FP6VL9CsUx0dAUaC8bEpEV6tQk7LwFrwEk6wykwluT2fXrUFimqnwzJBT c050osNujDcRZarutnv1jb37zTAXpVvhuiu2JxvE/eTXcpatxr6trgrxz40VUxcatoN9jO hGwO5WdsWvAtcKHuXGjTwAPdkdwAH4A=;
Received: from [130.129.23.230] (dhcp-17e6.meeting.ietf.org [130.129.23.230]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T3K-GAAiko3Y@rufus.isode.com>; Wed, 28 Mar 2012 08:30:33 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4F72BE1D.9020200@isode.com>
Date: Wed, 28 Mar 2012 09:30:37 +0200
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: saag@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [saag] WebSec summary IETF 83
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 07:30:36 -0000
Co-chairs: Tobias Gondrom and Alexey Melnikov The WG met in the 1st afternoon session on Monday (26-March-2012). WebSec had a two hour session. The following topics were discussed: HSTS (HTTP Strict Transport Security, draft-ietf-websec-strict-transport-sec-06.txt) is in WGLC. Major outstanding issues discussed at the meeting: 1). Some ABNF consistency issue 2). Discussed implications/handling of includeSubDomains directive. Some edge cases might not be covered in the document/not explicitly mentioned in the draft. For example handling of 0-lifetime HSTS pins in subdomains. 3). Discussed at length whether "no user recourse" should be allowed on any TLS error, or should exceptions be made for TLS certificate expiration. It looks like there doesn't seem to be consensus to change the current text (which doesn't make any exceptions for expired certificates). Some support for having a new "this site is testing HSTS" directive. Some agreement that informing users (and administrators) of why the site hard-failed is important, instead of just showing "you can't connect to this HSTS site, I will not tell whether CRL verification failed, or your cert is malformed, or the chain can't be verified". 4). Discussion on whether access to OCSP/CRL content should be exempted from HSTS policy covered by the includeSubDomains directive (they are frequently retrieved over HTTP). There are ways of addressing this in other ways (e.g. move the OCSP/CRL service to a different domain not covered by HSTS). No consensus to change the current text. Yoav Nir presented the "Extended Origin" idea <http://www.ietf.org/proceedings/83/slides/slides-83-websec-0.pdf>, to allow a single website be partitioned in multiple pieces. The Extended Origin is then going to be protocol+host+port+partition_name. Several participants commented that browsers are not going to implement this. Future discussion should be taken to the mailing list, no consensus to work on this in the WG so far. Some quick refresher about FRAME/X-FRAME drafts ("don't put content of this site into a HTML Frame unless ..."). Chairs will ask on the mailing list to accept these drafts as WG drafts. Some questions of whether this should be done in IETF or W3C. Several people (including W3C liaison and the responsible AD) commented that doing this in WebSec is fine. Chairs also quickly talked about MIME sniffing (an editor and reviewers are needed) and CSP header field registration draft, which will be done in W3C with reviews requested from WebSec and HTTPBIS IETF WGs.
- [saag] WebSec summary IETF 83 Alexey Melnikov