[websec] new rev: draft-ietf-websec-strict-transport-sec-13

=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 01 October 2012 15:45 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id EFB3C1F0CCD for <websec@ietfa.amsl.com>; Mon, 1 Oct 2012 08:45:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.278
X-Spam-Status: No, score=-100.278 tagged_above=-999 required=5 tests=[AWL=0.217, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id iFGr0mQ5kdyC for <websec@ietfa.amsl.com>; Mon, 1 Oct 2012 08:45:42 -0700 (PDT)
Received: from oproxy9.bluehost.com (oproxy9.bluehost.com [IPv6:2605:dc00:100:2::a2]) by ietfa.amsl.com (Postfix) with SMTP id 0D7A91F0C7E for <websec@ietf.org>; Mon, 1 Oct 2012 08:45:41 -0700 (PDT)
Received: (qmail 25185 invoked by uid 0); 1 Oct 2012 15:45:34 -0000
Received: from unknown (HELO box514.bluehost.com) ( by oproxy9.bluehost.com with SMTP; 1 Oct 2012 15:45:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=cRIJ7DNSMqGCZYbrUGilfCC+VbEGgsDL9AjeKWDBJWI=; b=UDjXr+MtpGtqUwoZPMB871Z/C4FYbtRHXamNhpCMLsGTZa2TdKV/+IbqAIjQxm824y6pcIf2QRZyT5dP4JOWuLsTA3cH+JVE/ThtCrQOL91G+WF9725tIC785zcurB8k;
Received: from [] (port=47954 helo=[]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1TIiBZ-0007xp-RP for websec@ietf.org; Mon, 01 Oct 2012 09:45:33 -0600
Message-ID: <5069BA9F.109@KingsMountain.com>
Date: Mon, 01 Oct 2012 08:45:35 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120912 Thunderbird/15.0.1
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth authed with jeff.hodges+kingsmountain.com}
Subject: [websec] new rev: draft-ietf-websec-strict-transport-sec-13
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Oct 2012 15:45:43 -0000

New rev:

please see change log excerpt included below for details. This rev addresses 
comments raised during IESG review..


All issue tickets are closed.

full issue ticket list for strict-transport-sec:

Redline spec diff from previous rev:

side-by-side diff from previous rev:

Change Log for this rev is below.



Appendix D.  Change Log

    [RFCEditor: please remove this section upon publication as an RFC.]

    Changes are grouped by spec revision listed in reverse issuance

D.1.  For draft-ietf-websec-strict-transport-sec

       Changes from -13 to -14:

       1.  Added a new subsection entitled "Considerations for Offering
           Unsecured HTTP Services at Alternate Ports or Subdomains of an
           HSTS Host" to section 11.4 "Implications of
           includeSubDomains".  This is addresses Robert Sparks' Discuss
           point (1): <https://datatracker.ietf.org/doc/

           Also s/flag/directive/ for all uses of e.g. "includeSubDomains
           flag", and noted that the presence of an includeSubDomains
           directive in an STS header field means it is "asserted".

       2.  Added a definition of an expired known HSTS Host, as well as a
           stipulation that the UA must evict expired known HSTS hosts
           from the cache (to section 8.1.1 "Noting an HSTS Host -
           Storage Model").  Added an "unexpired" adjective appropriately
           to section 8.2 "Known HSTS Host Domain Name Matching".  This
           is addresses Robert Sparks' Discuss point (2): <https://

       3.  Added a note 14.4 reason for clients to consider providing a
           way for users to remove entries from the cache.  This is
           addresses Robert Sparks' first Comment: <https://

       4.  Noted in 2nd para of section 7.1 that HTTP is running over
           secure transport.  This is addresses Robert Sparks' second
           comment ("nit"): <https://datatracker.ietf.org/doc/

       5.  Struck the "or perhaps others" phrase from Section 7.  Added
           Section 14 "Underlying Secure Transport Considerations" to Sec
           Cons.  This is addresses a portion of Eric Rescorla's

       6.  Added a NOTE to Section 8.3 URI Loading and Port Mapping
           regarding non-HTTPS servers running at non-standard ports
           identified in URIs.  Added item (6) to Appendix A explaining
           the port mapping design decision.  This addresses the other
           portion of EKR's feedback.

       Changes from -12 to -13: