Re: [secdir] [TLS] secdir review of draft-saintandre-tls-server-id-check-09
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 24 September 2010 22:39 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59FBC3A6AF8 for <secdir@core3.amsl.com>; Fri, 24 Sep 2010 15:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.119
X-Spam-Level:
X-Spam-Status: No, score=-102.119 tagged_above=-999 required=5 tests=[AWL=0.146, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zP-t3Y7z1hEg for <secdir@core3.amsl.com>; Fri, 24 Sep 2010 15:39:23 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 746513A6AEE for <secdir@ietf.org>; Fri, 24 Sep 2010 15:39:23 -0700 (PDT)
Received: (qmail 15512 invoked by uid 0); 24 Sep 2010 22:39:55 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 24 Sep 2010 22:39:55 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=QsdB4qDzlq7iIgDlWq/z12+aJU7Hyt1GUx21EJdL0kgHycejmkMfBJHeus4Moc+mI0Pg074FBGsvYdD41IeYXTDf4peNZYc5onN1UazBGT6me/C9OiZE0v95o874+mlo;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.179]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OzGvr-0000Mn-JM; Fri, 24 Sep 2010 16:39:55 -0600
Message-ID: <4C9D28BB.7010604@KingsMountain.com>
Date: Fri, 24 Sep 2010 15:39:55 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Martin Rex <mrex@sap.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
X-Mailman-Approved-At: Fri, 24 Sep 2010 18:36:44 -0700
Cc: tls@ietf.org, secdir@ietf.org, certid@ietf.org, iesg@ietf.org
Subject: Re: [secdir] [TLS] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 22:39:25 -0000
On 09/24/2010 01:29 PM, Martin Rex wrote: > Peter Saint-Andre wrote: > >> For context, the "quoted advice" is mostly a description of current >> usage in some existing user agents. Incorporating Barry's suggestions, >> that text currently reads as follows in our working copy: >> >> Security Note: Some existing interactive user agents give advanced >> users the option of proceeding despite an identity mismatch. >> Although this behavior can be appropriate in certain specialized >> circumstances, in general it ought to be exposed only to advanced >> users and even then needs to be handled with extreme caution, for >> example by first encouraging even an advanced user to terminate >> the connection and, if the advanced user chooses to proceed >> .... > > This whole paragraph is evil and completely wrong. PeterSA and I disagree, and echo rrelyea's sentiments. For some background context, see.. ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth In Proceedings of the 17th International World Wide Web Conference (WWW2008) https://crypto.stanford.edu/forcehttps/forcehttps.pdf See also.. HTTP Strict Transport Security (HSTS) http://tools.ietf.org/html/draft-hodges-strict-transport-sec Firefox 4.0 beta 5 <http://blog.mozilla.com/blog/2010/09/07/firefox-4-beta-with-faster-graphics-and-new-audio-capabilities-for-the-web/> "HTTP Strict Transport Security (HSTS) is a new security protocol in Firefox 4 Beta..." =JeffH
- [secdir] secdir review of draft-saintandre-tls-se… Barry Leiba
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-saintandre-tl… Barry Leiba
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] [TLS] [certid] secdir review of draf… Richard L. Barnes
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] [certid] secdir review of draft-sain… ArkanoiD
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] [certid] secdir review of draf… Jeffrey A. Williams
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] secdir review of Martin Rex
- Re: [secdir] [TLS] secdir review of Robert Relyea
- Re: [secdir] [TLS] secdir review of draft-saintan… =JeffH
- Re: [secdir] [TLS] secdir review of Nicolas Williams