[saag] WebSec summary IETF 83
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 28 March 2012 07:30 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51F3821F8611 for <saag@ietfa.amsl.com>; Wed, 28 Mar 2012 00:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.574
X-Spam-Level:
X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxdPiU0VpXEH for <saag@ietfa.amsl.com>; Wed, 28 Mar 2012 00:30:35 -0700 (PDT)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF7D21F860D for <saag@ietf.org>; Wed, 28 Mar 2012 00:30:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332919833; d=isode.com; s=selector; i=@isode.com; bh=RCARKqoQ+e5wG/OUxrrut1FvpsRz2NmdZtbgRsqiasI=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=pCPWa21N43Hh5FP6VL9CsUx0dAUaC8bEpEV6tQk7LwFrwEk6wykwluT2fXrUFimqnwzJBT c050osNujDcRZarutnv1jb37zTAXpVvhuiu2JxvE/eTXcpatxr6trgrxz40VUxcatoN9jO hGwO5WdsWvAtcKHuXGjTwAPdkdwAH4A=;
Received: from [130.129.23.230] (dhcp-17e6.meeting.ietf.org [130.129.23.230]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T3K-GAAiko3Y@rufus.isode.com>; Wed, 28 Mar 2012 08:30:33 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4F72BE1D.9020200@isode.com>
Date: Wed, 28 Mar 2012 09:30:37 +0200
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: saag@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [saag] WebSec summary IETF 83
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 07:30:36 -0000
Co-chairs: Tobias Gondrom and Alexey Melnikov
The WG met in the 1st afternoon session on Monday (26-March-2012).
WebSec had a two hour session. The following topics were discussed:
HSTS (HTTP Strict Transport Security,
draft-ietf-websec-strict-transport-sec-06.txt) is in WGLC. Major
outstanding issues discussed at the meeting:
1). Some ABNF consistency issue
2). Discussed implications/handling of includeSubDomains directive. Some
edge cases might not be covered in the document/not explicitly mentioned
in the draft. For example handling of 0-lifetime HSTS pins in subdomains.
3). Discussed at length whether "no user recourse" should be allowed on
any TLS error, or should exceptions be made for TLS certificate
expiration. It looks like there doesn't seem to be consensus to change
the current text (which doesn't make any exceptions for expired
certificates).
Some support for having a new "this site is testing HSTS" directive.
Some agreement that informing users (and administrators) of why the site
hard-failed is important, instead of just showing "you can't connect to
this HSTS site, I will not tell whether CRL verification failed, or your
cert is malformed, or the chain can't be verified".
4). Discussion on whether access to OCSP/CRL content should be exempted
from HSTS policy covered by the includeSubDomains directive (they are
frequently retrieved over HTTP). There are ways of addressing this in
other ways (e.g. move the OCSP/CRL service to a different domain not
covered by HSTS). No consensus to change the current text.
Yoav Nir presented the "Extended Origin" idea
<http://www.ietf.org/proceedings/83/slides/slides-83-websec-0.pdf>, to
allow a single website be partitioned in multiple pieces. The Extended
Origin is then going to be protocol+host+port+partition_name. Several
participants commented that browsers are not going to implement this.
Future discussion should be taken to the mailing list, no consensus to
work on this in the WG so far.
Some quick refresher about FRAME/X-FRAME drafts ("don't put content of
this site into a HTML Frame unless ...").
Chairs will ask on the mailing list to accept these drafts as WG drafts.
Some questions of whether this should be done in IETF or W3C. Several
people (including W3C liaison and the responsible AD) commented that
doing this in WebSec is fine.
Chairs also quickly talked about MIME sniffing (an editor and reviewers
are needed) and CSP header field registration draft, which will be done
in W3C with reviews requested from WebSec and HTTPBIS IETF WGs.
- [saag] WebSec summary IETF 83 Alexey Melnikov