Re: [TLS] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 24 September 2010 22:46 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5AEBC3A6AEE for <tls@core3.amsl.com>; Fri, 24 Sep 2010 15:46:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.122
X-Spam-Level:
X-Spam-Status: No, score=-102.122 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3B6FnSXUVx-a for <tls@core3.amsl.com>; Fri, 24 Sep 2010 15:46:43 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 29B943A6A59 for <tls@ietf.org>; Fri, 24 Sep 2010 15:46:43 -0700 (PDT)
Received: (qmail 15512 invoked by uid 0); 24 Sep 2010 22:39:55 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 24 Sep 2010 22:39:55 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=QsdB4qDzlq7iIgDlWq/z12+aJU7Hyt1GUx21EJdL0kgHycejmkMfBJHeus4Moc+mI0Pg074FBGsvYdD41IeYXTDf4peNZYc5onN1UazBGT6me/C9OiZE0v95o874+mlo;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.179]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OzGvr-0000Mn-JM; Fri, 24 Sep 2010 16:39:55 -0600
Message-ID: <4C9D28BB.7010604@KingsMountain.com>
Date: Fri, 24 Sep 2010 15:39:55 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Martin Rex <mrex@sap.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Cc: tls@ietf.org, secdir@ietf.org, certid@ietf.org, iesg@ietf.org, barryleiba@computer.org, jhutz@cmu.edu
Subject: Re: [TLS] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 22:46:43 -0000
On 09/24/2010 01:29 PM, Martin Rex wrote: > Peter Saint-Andre wrote: > >> For context, the "quoted advice" is mostly a description of current >> usage in some existing user agents. Incorporating Barry's suggestions, >> that text currently reads as follows in our working copy: >> >> Security Note: Some existing interactive user agents give advanced >> users the option of proceeding despite an identity mismatch. >> Although this behavior can be appropriate in certain specialized >> circumstances, in general it ought to be exposed only to advanced >> users and even then needs to be handled with extreme caution, for >> example by first encouraging even an advanced user to terminate >> the connection and, if the advanced user chooses to proceed >> .... > > This whole paragraph is evil and completely wrong. PeterSA and I disagree, and echo rrelyea's sentiments. For some background context, see.. ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth In Proceedings of the 17th International World Wide Web Conference (WWW2008) https://crypto.stanford.edu/forcehttps/forcehttps.pdf See also.. HTTP Strict Transport Security (HSTS) http://tools.ietf.org/html/draft-hodges-strict-transport-sec Firefox 4.0 beta 5 <http://blog.mozilla.com/blog/2010/09/07/firefox-4-beta-with-faster-graphics-and-new-audio-capabilities-for-the-web/> "HTTP Strict Transport Security (HSTS) is a new security protocol in Firefox 4 Beta..." =JeffH
- Re: [TLS] secdir review of draft-saintandre-tls-s… Peter Saint-Andre
- Re: [TLS] [certid] Fwd: secdir review of draft-sa… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Jeffrey Hutzelman
- Re: [TLS] secdir review of draft-saintandre-tls-s… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Jeffrey Hutzelman
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [certid] [secdir] secdir review of draf… ArkanoiD
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Jeffrey A. Williams
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Nasko Oskov
- Re: [TLS] [certid] [secdir] secdir Martin Rex
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir Dr Stephen Henson
- Re: [TLS] [certid] [secdir] secdir review of draf… Steingruebl, Andy
- Re: [TLS] [certid] [secdir] Martin Rex
- Re: [TLS] secdir review of draft-saintandre-tls-s… Barry Leiba
- Re: [TLS] [certid] Fwd: secdir review of draft-sa… Barry Leiba
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Richard L. Barnes
- Re: [TLS] [secdir] secdir review of Martin Rex
- Re: [TLS] [secdir] secdir review of Robert Relyea
- Re: [TLS] [secdir] secdir review of draft-saintan… =JeffH
- Re: [TLS] [secdir] secdir review of Nicolas Williams