[websec] new rev: draft-ietf-websec-strict-transport-sec-04
=JeffH <Jeff.Hodges@KingsMountain.com> Sat, 28 January 2012 00:56 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5391821F8572 for <websec@ietfa.amsl.com>; Fri, 27 Jan 2012 16:56:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.181
X-Spam-Level:
X-Spam-Status: No, score=-100.181 tagged_above=-999 required=5 tests=[AWL=0.314, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66PrWNT0kpyH for <websec@ietfa.amsl.com>; Fri, 27 Jan 2012 16:56:38 -0800 (PST)
Received: from oproxy3-pub.bluehost.com (oproxy3.bluehost.com [IPv6:2605:dc00:100:2::a3]) by ietfa.amsl.com (Postfix) with SMTP id 34F8621F8557 for <websec@ietf.org>; Fri, 27 Jan 2012 16:56:38 -0800 (PST)
Received: (qmail 30880 invoked by uid 0); 28 Jan 2012 00:56:37 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy3.bluehost.com with SMTP; 28 Jan 2012 00:56:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=8yTGNhBd3zDgkqTOOt3xkwoJD5d1jMA1YBYQhErnz1I=; b=DyYI7pvBkVzeH/V/b5yXUAtfdQPvHHvjPpqW9uJikl7Xravdy7X4zdTv3NqzU7NiJwUoJt93AREB5siKC7n9yaWEjQaUUN2pFBo6CyPO2VZ6V/DzQ/5YPLl0fKMca1kr;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.138]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1Rqwar-0002eV-Mj for websec@ietf.org; Fri, 27 Jan 2012 17:56:37 -0700
Message-ID: <4F2347C5.8090406@KingsMountain.com>
Date: Fri, 27 Jan 2012 16:56:37 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [websec] new rev: draft-ietf-websec-strict-transport-sec-04
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jan 2012 00:56:39 -0000
New rev: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-04.txt With this rev, all issue tickets are now nominally addressed. Full change log below, and full -04 announcement message at end. Changes from -01 to -02 address: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 Changes from -02 to -03 address: 14, 26, 27 Changes from -03 to -04 address: 13, 14, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36 full issue ticket list for strict-transport-sec: <http://trac.tools.ietf.org/wg/websec/trac/query?status=assigned&status=closed&status=new&status=reopened&component=strict-transport-sec&order=id> Diff from previous version: http://tools.ietf.org/rfcdiff?url2=draft-ietf-websec-strict-transport-sec-04 In a separate message I'll propose a workflow for managing websec issue tickets. =JeffH ============================================================== Appendix D. Change Log D.1. For draft-ietf-websec-strict-transport-sec Changes from -03 to -04: 1. Clarified that max-age=0 will cause UA to forget a known HSTS host, and more generally clarified that the "freshest" info from the HSTS host is cached, and thus HSTS hosts are able to alter the cached max-age in UAs. This addresses issue ticket #13. <http://trac.tools.ietf.org/wg/websec/trac/ticket/13> 2. Updated section on "Constructing an Effective Request URI" to remove remaining reference to RFC3986 and reference RFC2616 instead. Further addresses issue ticket #14. <http://trac.tools.ietf.org/wg/websec/trac/ticket/14> 3. Addresses further ABNF issues noted in comment:1 of issue ticket #27. <http://trac.tools.ietf.org/wg/websec/trac/ ticket/27#comment:1> 4. Reworked the introduction to clarify the denotation of "HSTS policy" and added the new Appendix B summarizing the primary characteristics of HSTS Policy and Same-Origin Policy, and identifying their differences. Added ref to [RFC4732]. This addresses issue ticket #28. <http://trac.tools.ietf.org/wg/websec/trac/ticket/28> 5. Reworked language in Section 2.3.1.3. wrt "mixed content", more clearly explain such vulnerability, disambiguate "mixed content" in web security context from its usage in markup language context. This addresses issue ticket #29. <http://trac.tools.ietf.org/wg/websec/trac/ticket/29> 6. Expanded Denial of Service discussion in Security Considerations. Added refs to [RFC4732] and [CWE-113]. This addresses issue ticket #30. <http://trac.tools.ietf.org/wg/websec/trac/ticket/30> 7. Mentioned in prose the case-insensitivity of directive names. This addresses issue ticket #31. <http://trac.tools.ietf.org/wg/websec/trac/ticket/31> 8. Added Section 10.3 "Implications of includeSubDomains". This addresses issue ticket #32. <http://trac.tools.ietf.org/wg/websec/trac/ticket/32> 9. Further refines text and ABNF definitions of STS header field directives. Retains use of quoted-string in directive grammar. This addresses issue ticket #33. <http://trac.tools.ietf.org/wg/websec/trac/ticket/33> 10. Added Section 14.7 "Creative Manipulation of HSTS Policy Store", including reference to [WebTracking]. This addresses issue ticket #34. <http://trac.tools.ietf.org/wg/websec/trac/ticket/34> 11. Added Section 14.1 "Ramifications of HSTS Policy Establishment only over Error-free Secure Transport" and made some accompanying editorial fixes in some other sections. This addresses issue ticket #35. <http://trac.tools.ietf.org/wg/websec/trac/ticket/35> 12. Refined references. Cleaned out un-used ones, updated to latest RFCs for others, consigned many to Informational. This addresses issue ticket #36. <http://trac.tools.ietf.org/wg/websec/trac/ticket/36> 13. Fixed-up some inaccuracies in the "Changes from -02 to -03" section. Changes from -02 to -03: 1. Updated section on "Constructing an Effective Request URI" to remove references to RFC3986. Addresses issue ticket #14. <http://trac.tools.ietf.org/wg/websec/trac/ticket/14> 2. Reference RFC5890 for IDNA, retaining subordinate refs to RFC3490. Updated IDNA-specific language, e.g. domain name canonicalization and IDNA dependencies. Addresses issue ticket #26 <http://trac.tools.ietf.org/wg/websec/trac/ticket/26>. 3. Completely re-wrote the STS header ABNF to be fully based on RFC2616, rather than a hybrid of RFC2616 and httpbis. Addresses issue ticket #27 <http://trac.tools.ietf.org/wg/websec/trac/ticket/27>. Changes from -01 to -02: 1. Updated Section 8.2 "URI Loading and Port Mapping" fairly thoroughly in terms of refining the presentation of the steps, and to ensure the various aspects of port mapping are clear. Nominally fixes issue ticket #1 <http://trac.tools.ietf.org/wg/websec/trac/ticket/1> 2. Removed dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS ABNF in Section 6.1 "Strict-Transport-Security HTTP Response Header Field" by lifting some productions entirely from [I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging [RFC2616]. Addresses issue ticket #2 <http://trac.tools.ietf.org/wg/websec/trac/ticket/2>. 3. Updated Effective Request URI section and definition to use language from [I-D.draft-ietf-httpbis-p1-messaging-15] and ABNF from [RFC2616]. Fixes issue ticket #3 <http://trac.tools.ietf.org/wg/websec/trac/ticket/3>. 4. Added explicit mention that the HSTS policy applies to all TCP ports of a host advertising the HSTS policy. Nominally fixes issue ticket #4 <http://trac.tools.ietf.org/wg/websec/trac/ticket/4> 5. Clarified the need for the "includeSubDomains" directive, e.g. to protect Secure-flagged domain cookies. In Section 14.2 "The Need for includeSubDomains". Nominally fixes issue ticket #5 <http://trac.tools.ietf.org/wg/websec/trac/ticket/5> 6. Cited Firesheep as real-live threat in Section 2.3.1.1 "Passive Network Attackers". Nominally fixes issue ticket #6 <http://trac.tools.ietf.org/wg/websec/trac/ticket/6>. 7. Added text to Section 11 "User Agent Implementation Advice" justifying connection termination due to tls warnings/errors. Nominally fixes issue ticket #7 <http://trac.tools.ietf.org/wg/websec/trac/ticket/7>. 8. Added new subsection Section 8.5 "Interstitially Missing Strict-Transport-Security Response Header Field". Nominally fixes issue ticket #8 <http://trac.tools.ietf.org/wg/websec/trac/ticket/8>. 9. Added text to Section 8.3 "Errors in Secure Transport Establishment" explicitly note revocation check failures as errors causing connection termination. Added references to [RFC5280] and [RFC2560]. Nominally fixes issue ticket #9 <http://trac.tools.ietf.org/wg/websec/trac/ticket/9>. 10. Added a sentence, noting that distributing specific end- entity certificates to browsers will also work for self- signed/private-CA cases, to Section 10 "Server Implementation and Deployment Advice" Nominally fixes issue ticket #10 <http://trac.tools.ietf.org/wg/websec/trac/ticket/10>. 11. Moved "with no user recourse" language from Section 8.3 "Errors in Secure Transport Establishment" to Section 11 "User Agent Implementation Advice". This nominally fixes issue ticket #11 <http://trac.tools.ietf.org/wg/websec/trac/ticket/11>. 12. Removed any and all dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending on [RFC2616] only. Fixes issue ticket #12 <http://trac.tools.ietf.org/wg/websec/trac/ticket/12>. 13. Removed the inline "XXX1" issue because no one had commented on it and it seems reasonable to suggest as a SHOULD that web apps should redirect incoming insecure connections to secure connections. 14. Removed the inline "XXX2" issue because it was simply for raising consciousness about having some means for distributing secure web application metadata. 15. Removed "TODO1" because description prose for "max-age" in the Note following the ABNF in Section 6 seems to be fine. 16. Decided for "TODO2" that "the first STS header field wins". TODO2 had read: "Decide UA behavior in face of encountering multiple HSTS headers in a message. Use first header? Last?". Removed TODO2. 17. Added Section 1.1 "Organization of this specification" for readers' convenience. 18. Moved design decision notes to be a proper appendix Appendix A. ======================================================================== Subject: I-D Action: draft-ietf-websec-strict-transport-sec-04.txt From: internet-drafts@ietf.org Date: Fri, 27 Jan 2012 16:31:54 -0800 To: i-d-announce@ietf.org Cc: websec@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : HTTP Strict Transport Security (HSTS) Author(s) : Jeff Hodges Collin Jackson Adam Barth Filename : draft-ietf-websec-strict-transport-sec-04.txt Pages : 43 Date : 2012-01-27 This specification defines a mechanism enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by Web sites via the Strict-Transport-Security HTTP response header field, and/or by other means, such as user agent configuration, for example. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-04.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-04.txt --- end