Re: [secdir] secdir review of draft-nottingham-http-new-status-03
Julian Reschke <julian.reschke@gmx.de> Mon, 30 January 2012 16:09 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34F5221F864B for <secdir@ietfa.amsl.com>; Mon, 30 Jan 2012 08:09:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.02
X-Spam-Level:
X-Spam-Status: No, score=-104.02 tagged_above=-999 required=5 tests=[AWL=-1.421, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id klcWm2InN2Me for <secdir@ietfa.amsl.com>; Mon, 30 Jan 2012 08:09:07 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 8280221F864E for <secdir@ietf.org>; Mon, 30 Jan 2012 08:09:06 -0800 (PST)
Received: (qmail invoked by alias); 30 Jan 2012 16:09:04 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp020) with SMTP; 30 Jan 2012 17:09:04 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1//hA9f/9j/IHz89cZ85ZvK5jB+2wNljL5v1oqVOV bwP6H/QfIHuIlp
Message-ID: <4F26C097.1040209@gmx.de>
Date: Mon, 30 Jan 2012 17:08:55 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Stephen Hanna <shanna@juniper.net>
References: <AC6674AB7BC78549BB231821ABF7A9AEB82253AD14@EMBX01-WF.jnpr.net> <4F109383.1090505@gmx.de> <AC6674AB7BC78549BB231821ABF7A9AEB82253AE7B@EMBX01-WF.jnpr.net> <ED1DC359-2B17-4DA8-82C6-34E6DCDE918E@mnot.net> <0EEB0CDF-6D05-4EA7-9244-CA80C03BD11D@mnot.net> <AC6674AB7BC78549BB231821ABF7A9AEB829FBD878@EMBX01-WF.jnpr.net> <4F26B2C4.9010808@gmx.de> <AC6674AB7BC78549BB231821ABF7A9AEB829FBD8AD@EMBX01-WF.jnpr.net>
In-Reply-To: <AC6674AB7BC78549BB231821ABF7A9AEB829FBD8AD@EMBX01-WF.jnpr.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: "draft-nottingham-http-new-status@tools.ietf.org" <draft-nottingham-http-new-status@tools.ietf.org>, Mark Nottingham <mnot@mnot.net>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-nottingham-http-new-status-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2012 16:09:07 -0000
Well, a) this doesn't help for non-HTTPS traffic, anb b) in case of a captive portal intercepting https traffic, we would expect a certificate error, no? Anyway; this is not a security consideration specific to 511, but applies to captive portals in general, no matter whether the new status code is used or not. As such, it *could* be added to Appendix B. Best regards, Julian On 2012-01-30 16:22, Stephen Hanna wrote: > Yes > > -Steve > >> -----Original Message----- >> From: Julian Reschke [mailto:julian.reschke@gmx.de] >> Sent: Monday, January 30, 2012 10:10 AM >> To: Stephen Hanna >> Cc: Mark Nottingham; draft-nottingham-http-new-status@tools.ietf.org; >> secdir@ietf.org; ietf@ietf.org >> Subject: Re: secdir review of draft-nottingham-http-new-status-03 >> >> On 2012-01-30 16:05, Stephen Hanna wrote: >>> Mark, >>> >>> I don't want to rehash the discussion that we've already had. >>> Clearly, you prefer brevity while I would prefer education in >>> this instance. >>> >>> I can live with your text for status codes 428, 429, and 431. For >>> 511, I don't think it's adequate to just say that big security >>> issues already exist. You should at least give some suggestions >>> for how to deal with them. For example, you could point out that >>> most user agents include some indication of whether the server >>> has been authenticated. For captive portals, this indication will >>> generally not be displayed so the user receives some warning >>> that the response did not come from the requested URL. >> >> Are you referring to HTTPS? >> >> Best regards, Julian >
- [secdir] secdir review of draft-nottingham-http-n… Stephen Hanna
- Re: [secdir] secdir review of draft-nottingham-ht… Stephen Hanna
- Re: [secdir] secdir review of draft-nottingham-ht… Julian Reschke
- Re: [secdir] secdir review of draft-nottingham-ht… Mark Nottingham
- Re: [secdir] secdir review of draft-nottingham-ht… Mark Nottingham
- Re: [secdir] secdir review of draft-nottingham-ht… Mark Nottingham
- Re: [secdir] secdir review of draft-nottingham-ht… Stephen Hanna
- Re: [secdir] secdir review of draft-nottingham-ht… Julian Reschke
- Re: [secdir] secdir review of draft-nottingham-ht… Stephen Hanna
- Re: [secdir] secdir review of draft-nottingham-ht… Julian Reschke
- Re: [secdir] secdir review of draft-nottingham-ht… Mark Nottingham