Re: [Uta] STS directive registry: separate or shared?
Aaron Zauner <azet@azet.org> Fri, 15 April 2016 09:19 UTC
Return-Path: <azet@azet.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87C1712E3A2 for <uta@ietfa.amsl.com>; Fri, 15 Apr 2016 02:19:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKQcc3IREZ-P for <uta@ietfa.amsl.com>; Fri, 15 Apr 2016 02:19:06 -0700 (PDT)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BD0B12D66F for <uta@ietf.org>; Fri, 15 Apr 2016 02:19:04 -0700 (PDT)
Received: by mail-pa0-x22f.google.com with SMTP id er2so25220223pad.3 for <uta@ietf.org>; Fri, 15 Apr 2016 02:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=neXPEAvKvu22AfZY45B/GNWacUXazYfNHKj0WEtdPRE=; b=P5ERZC6WPFzQK+bI+I/hmpJOfweqap8of9+RwNhcADeA1UW3/uDJ7pkrPFYZ5L1iqd bvUK6nUeLr+clrKuriLK23E3HsMUIBlVRXWzO7l3JCUpWZ/khKo186b2GxSG23jq7wvP MrFy02DDdNixC6JeObkpw6kFiwHz6PDx9aB4A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=neXPEAvKvu22AfZY45B/GNWacUXazYfNHKj0WEtdPRE=; b=Ob+JTtRejfEiuh2C7HQsX1oeigUi7XUGTkAwP1e8GupIpnjsUorV3KBCUhA/i4ZNWk ks6fe0w+NTAXvBxj/L4KU0xtbHTBlnj/EEn5TE/RXbSQFifqiXR6J0KeqiJ0kLCTlIGO 03EI2bxWKXoE3+XfjTYj70Nme8ojzboiLpC8rAxGOYPOR9LjWHUKyfLTL3/V6If+SSrC Ls3b5x0bbWzsiZoRwafleUNt+2djFX2WsHot7LASbGQki39bTrprm6aHWjTQ4A/Ch2fv gFaAcAgADvTlcsFnyEeWMrx9ETUIPEieA6sWS0ZEqjr9DFoYPWWiyRczV8n+jbXDfCJj E7hA==
X-Gm-Message-State: AOPr4FWDWSR6m/yI7SJPwcgDuoOUzuv+mp0x4YEGOC/CFo78QiEBf823a7fOt+sZ2ySATw==
X-Received: by 10.67.30.163 with SMTP id kf3mr28023018pad.45.1460711943377; Fri, 15 Apr 2016 02:19:03 -0700 (PDT)
Received: from [172.20.10.7] (ppp-49-237-172-94.revip6.asianet.co.th. [49.237.172.94]) by smtp.gmail.com with ESMTPSA id 79sm63253907pfq.65.2016.04.15.02.18.59 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 15 Apr 2016 02:19:00 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_EDB4C354-0819-47F4-A165-2450EC373FCB"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <etPan.570fcb56.1b83edb9.17026@dhcp-amer-vpn-adc-anyconnect-10-154-168-221.vpn.oracle.com>
Date: Fri, 15 Apr 2016 16:19:37 +0700
Message-Id: <F04507EE-260F-4793-BBC3-26FF60E0CFFE@azet.org>
References: <etPan.570fcb56.1b83edb9.17026@dhcp-amer-vpn-adc-anyconnect-10-154-168-221.vpn.oracle.com>
To: Chris Newman <chris.newman@oracle.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/V4BUP2b3IJOnthd9Qtlwj5g5DaA>
Cc: "uta@ietf.org" <uta@ietf.org>
Subject: Re: [Uta] STS directive registry: separate or shared?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 09:19:08 -0000
Hi, > On 14 Apr 2016, at 23:54, Chris Newman <chris.newman@oracle.com> wrote: > > Right now we have 3 STS proposals: HSTS, SMTP relay STS and MUA STS (DEEP). > > HSTS described its extensibility model, but punted on actually creating a registry. A registry covering HSTS would be useful because there’s at least one limited-use directive in the wild in addition to those in the HSTS base spec. MUA STS currently describes an extensibility model and creates a registry just for itself. SMTP relay STS is missing both an extensibility model and registry, although Viktor has made a compelling case that we we want to be minimal on SMTP relay STS directives (at least initially). This makes a lot of sense. > > There are two ways to move forward: > > 1. Each protocol is responsible for it’s own extension model and registry. This has the advantage of getting MUA STS done sooner, but we’ll probably end up with 2 or 3 separate registries with some redundancy and potential for semantic conflicts in STS directives with the same name between protocols. > > 2. We create a combined STS registry that includes a protocol-applicability field for each directive. Some directives would be multi-protocol (e.g., max-age may be shared between HSTS and SMTP relay STS), most would be single-protocol initially (that could change later). One advantage to this approach is it gives us a place to include some prose about why STS proposals are different and why different applicability is important. But this would take a bit longer and mean the WG would have another draft. This would make life slightly simpler for SMTP relay STS as it would just have to describe its extensibility model and point to the shared registry. If we do this, I am willing to co-author the shared-registry spec and Jeff Hodges (co-author of HSTS spec) is also willing to co-author the spec. > > I lean slightly towards option 2, but we need a WG rough consensus to pursue that option as it’s a fairly significant change to MUA STS. Comments? But it's a good point that #1 would get MUA-STS out of the door sooner, which is something I'd very much like to see deployed. Difficult, but I think option #2 is the way to go. Thanks for working on this, Aaron
- [Uta] STS directive registry: separate or shared? Chris Newman
- Re: [Uta] STS directive registry: separate or sha… Alexey Melnikov
- Re: [Uta] STS directive registry: separate or sha… Mark Risher
- Re: [Uta] STS directive registry: separate or sha… Aaron Zauner