Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-05
Tobias Gondrom <tobias.gondrom@gondrom.org> Sun, 11 March 2012 16:48 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A0B521F87BC for <websec@ietfa.amsl.com>; Sun, 11 Mar 2012 09:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.628
X-Spam-Level:
X-Spam-Status: No, score=-95.628 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, MANGLED_TOOL=2.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IId7W+6-9i3 for <websec@ietfa.amsl.com>; Sun, 11 Mar 2012 09:48:27 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 99F9321F8754 for <websec@ietf.org>; Sun, 11 Mar 2012 09:48:26 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=M6lk+qucGY0p0sSxax4WXnwvxIbt9rLZh2ZmqVfT7NM6TeLcTkC5H+P8Hy2O0moPAS5zCdi8PTBZhKz5nPKFjF+6+Tc/boMTMYaL1bH24VDei9Milef0rg2bdZRydkZP; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 22054 invoked from network); 11 Mar 2012 17:48:07 +0100
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 11 Mar 2012 17:48:07 +0100
Message-ID: <4F5CD747.2090600@gondrom.org>
Date: Sun, 11 Mar 2012 16:48:07 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: websec@ietf.org
References: <4F5A720D.8040106@KingsMountain.com>
In-Reply-To: <4F5A720D.8040106@KingsMountain.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-05
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2012 16:48:28 -0000
Hi Jeff, <hat="individual"> thanks. Went through the list of all tickets 1-36 and can confirm that IMHO all have been addressed sufficiently. Best regards, Tobias On 09/03/12 21:11, =JeffH wrote: > New rev: > http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt > > > With this rev, all issue tickets are now nominally addressed. Full > change log > below, and full -04 announcement message at end. > > Changes from -04 to -05 address: 33, 36 > > Changes from -03 to -04 address: 13, 14, 27, 28, 29, 30, 31, 32, 33, 34, > 35, 36 > > Changes from -02 to -03 address: 14, 26, 27 > > Changes from -01 to -02 address: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 > > > full issue ticket list for strict-transport-sec: > <http://trac.tools.ietf.org/wg/websec/trac/query?status=assigned&status=closed&status=new&status=reopened&component=strict-transport-sec&order=id> > > > Diff from previous version: > http://tools.ietf.org/rfcdiff?url2=draft-ietf-websec-strict-transport-sec-05 > > > =JeffH > > > ============================================================== > > Appendix D. Change Log > > [RFCEditor: please remove this section upon publication as an RFC.] > > Changes are grouped by spec revision listed in reverse issuance > order. > > D.1. For draft-ietf-websec-strict-transport-sec > > Changes from -04 to -05: > > 1. Fixed up references to move certain ones back to the normative > section -- as requested by Alexey M. Added explanation for > referencing obsoleted [RFC3490] and [RFC3492]. This addresses > issue ticket #36. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/36> > > 2. Made minor change to Strict-Transport-Security header field > ABNF in order to address further feedback as appended to > ticket #33. This addresses issue ticket #33. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/33> > > Changes from -03 to -04: > > 1. Clarified that max-age=0 will cause UA to forget a known HSTS > host, and more generally clarified that the "freshest" info > from the HSTS host is cached, and thus HSTS hosts are able to > alter the cached max-age in UAs. This addresses issue ticket > #13. <http://trac.tools.ietf.org/wg/websec/trac/ticket/13> > > 2. Updated section on "Constructing an Effective Request URI" to > remove remaining reference to RFC3986 and reference RFC2616 > instead. Further addresses issue ticket #14. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/14> > > 3. Addresses further ABNF issues noted in comment:1 of issue > ticket #27. <http://trac.tools.ietf.org/wg/websec/trac/ > ticket/27#comment:1> > > 4. Reworked the introduction to clarify the denotation of "HSTS > policy" and added the new Appendix B summarizing the primary > characteristics of HSTS Policy and Same-Origin Policy, and > identifying their differences. Added ref to [RFC4732]. This > addresses issue ticket #28. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/28> > > 5. Reworked language in Section 2.3.1.3. wrt "mixed content", > more clearly explain such vulnerability, disambiguate "mixed > content" in web security context from its usage in markup > language context. This addresses issue ticket #29. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/29> > > 6. Expanded Denial of Service discussion in Security > Considerations. Added refs to [RFC4732] and [CWE-113]. This > addresses issue ticket #30. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/30> > > 7. Mentioned in prose the case-insensitivity of directive names. > This addresses issue ticket #31. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/31> > > 8. Added Section 10.3 "Implications of includeSubDomains". This > addresses issue ticket #32. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/32> > > 9. Further refines text and ABNF definitions of STS header field > directives. Retains use of quoted-string in directive > grammar. This addresses issue ticket #33. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/33> > > 10. Added Section 14.7 "Creative Manipulation of HSTS Policy > Store", including reference to [WebTracking]. This addresses > issue ticket #34. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/34> > > 11. Added Section 14.1 "Ramifications of HSTS Policy > Establishment only over Error-free Secure Transport" and made > some accompanying editorial fixes in some other sections. > This addresses issue ticket #35. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/35> > > > > Hodges, et al. Expires September 10, 2012 [Page 38] > > Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 > > > 12. Refined references. Cleaned out un-used ones, updated to > latest RFCs for others, consigned many to Informational. > This addresses issue ticket #36. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/36> > > 13. Fixed-up some inaccuracies in the "Changes from -02 to -03" > section. > > Changes from -02 to -03: > > 1. Updated section on "Constructing an Effective Request URI" to > remove references to RFC3986. Addresses issue ticket #14. > <http://trac.tools.ietf.org/wg/websec/trac/ticket/14> > > 2. Reference RFC5890 for IDNA, retaining subordinate refs to > RFC3490. Updated IDNA-specific language, e.g. domain name > canonicalization and IDNA dependencies. Addresses issue > ticket #26 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/26>. > > 3. Completely re-wrote the STS header ABNF to be fully based on > RFC2616, rather than a hybrid of RFC2616 and httpbis. > Addresses issue ticket #27 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/27>. > > Changes from -01 to -02: > > 1. Updated Section 8.2 "URI Loading and Port Mapping" fairly > thoroughly in terms of refining the presentation of the > steps, and to ensure the various aspects of port mapping are > clear. Nominally fixes issue ticket #1 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/1> > > 2. Removed dependencies on > [I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS > ABNF in Section 6.1 "Strict-Transport-Security HTTP Response > Header Field" by lifting some productions entirely from > [I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging > [RFC2616]. Addresses issue ticket #2 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/2>. > > 3. Updated Effective Request URI section and definition to use > language from [I-D.draft-ietf-httpbis-p1-messaging-15] and > ABNF from [RFC2616]. Fixes issue ticket #3 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/3>. > > 4. Added explicit mention that the HSTS policy applies to all > TCP ports of a host advertising the HSTS policy. Nominally > fixes issue ticket #4 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/4> > > 5. Clarified the need for the "includeSubDomains" directive, > e.g. to protect Secure-flagged domain cookies. In > Section 14.2 "The Need for includeSubDomains". Nominally > fixes issue ticket #5 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/5> > > 6. Cited Firesheep as real-live threat in Section 2.3.1.1 > "Passive Network Attackers". Nominally fixes issue ticket #6 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/6>. > > 7. Added text to Section 11 "User Agent Implementation Advice" > justifying connection termination due to tls warnings/errors. > Nominally fixes issue ticket #7 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/7>. > > 8. Added new subsection Section 8.5 "Interstitially Missing > Strict-Transport-Security Response Header Field". Nominally > fixes issue ticket #8 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/8>. > > 9. Added text to Section 8.3 "Errors in Secure Transport > Establishment" explicitly note revocation check failures as > errors causing connection termination. Added references to > [RFC5280] and [RFC2560]. Nominally fixes issue ticket #9 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/9>. > > 10. Added a sentence, noting that distributing specific end- > entity certificates to browsers will also work for self- > signed/private-CA cases, to Section 10 "Server Implementation > and Deployment Advice" Nominally fixes issue ticket #10 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/10>. > > 11. Moved "with no user recourse" language from Section 8.3 > "Errors in Secure Transport Establishment" to Section 11 > "User Agent Implementation Advice". This nominally fixes > issue ticket #11 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/11>. > > 12. Removed any and all dependencies on > [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending > on [RFC2616] only. Fixes issue ticket #12 > <http://trac.tools.ietf.org/wg/websec/trac/ticket/12>. > > 13. Removed the inline "XXX1" issue because no one had commented > on it and it seems reasonable to suggest as a SHOULD that web > apps should redirect incoming insecure connections to secure > connections. > > 14. Removed the inline "XXX2" issue because it was simply for > raising consciousness about having some means for > distributing secure web application metadata. > > 15. Removed "TODO1" because description prose for "max-age" in > the Note following the ABNF in Section 6 seems to be fine. > > 16. Decided for "TODO2" that "the first STS header field wins". > TODO2 had read: "Decide UA behavior in face of encountering > multiple HSTS headers in a message. Use first header? > Last?". Removed TODO2. > > 17. Added Section 1.1 "Organization of this specification" for > readers' convenience. > > 18. Moved design decision notes to be a proper appendix > Appendix A. > > Changes from -00 to -01: > > 1. Changed the "URI Loading" section to be "URI Loading and Port > Mapping". > > 2. [HASMAT] reference changed to [WEBSEC]. > > 3. Changed "server" -> "host" where applicable, notably when > discussing "HSTS Hosts". Left as "server" when discussing > e.g. "http server"s. > > 4. Fixed minor editorial nits. > > Changes from draft-hodges-strict-transport-sec-02 to > draft-ietf-websec-strict-transport-sec-00: > > 1. Altered spec metadata (e.g. filename, date) in order to submit > as a WebSec working group Internet-Draft. > > D.2. For draft-hodges-strict-transport-sec > > Changes from -01 to -02: > > 1. updated abstract such that means for expressing HSTS Policy > other than via HSTS header field is noted. > > > 2. Changed spec title to "HTTP Strict Transport Security (HSTS)" > from "Strict Transport Security". Updated use of "STS" > acronym throughout spec to HSTS (except for when specifically > discussing syntax of Strict-Transport-Security HTTP Response > Header field), updated "Terminology" appropriately. > > 3. Updated the discussion of "Passive Network Attackers" to be > more precise and offered references. > > 4. Removed para on nomative/non-normative from "Conformance > Criteria" pending polishing said section to IETF RFC norms. > > 5. Added examples subsection to "Syntax" section. > > 6. Added OWS to maxAge production in Strict-Transport-Security > ABNF. > > 7. Cleaned up explanation in the "Note:" in the "HTTP-over- > Secure-Transport Request Type" section, folded 3d para into > "Note:", added conformance clauses to the latter. > > 8. Added exaplanatory "Note:" and reference to "HTTP Request > Type" section. Added "XXX1" issue. > > 9. Added conformance clause to "URI Loading". > > 10. Moved "Notes for STS Server implementors:" from "UA > Implementation dvice " to "HSTS Policy expiration time > considerations:" in "Server Implementation Advice", and also > noted another option. > > 11. Added cautionary "Note:" to "Ability to delete UA's cached > HSTS Policy on a per HSTS Server basis". > > 12. Added some informative references. > > 13. Various minor editorial fixes. > > Changes from -00 to -01: > > 1. Added reference to HASMAT mailing list and request that this > spec be discussed there. > > ============================================================== > > Subject: [websec] I-D Action: > draft-ietf-websec-strict-transport-sec-05.txt > From: internet-drafts@ietf.org > Date: Fri, 09 Mar 2012 13:00:09 -0800 > To: i-d-announce@ietf.org > Cc: websec@ietf.org > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This draft is a work item of the Web Security Working > Group of the IETF. > > Title : HTTP Strict Transport Security (HSTS) > Author(s) : Jeff Hodges > Collin Jackson > Adam Barth > Filename : draft-ietf-websec-strict-transport-sec-05.txt > Pages : 43 > Date : 2012-03-09 > > This specification defines a mechanism enabling Web sites to declare > themselves accessible only via secure connections, and/or for users > to be able to direct their user agent(s) to interact with given sites > only over secure connections. This overall policy is referred to as > HTTP Strict Transport Security (HSTS). The policy is declared by Web > sites via the Strict-Transport-Security HTTP response header field, > and/or by other means, such as user agent configuration, for example. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > This Internet-Draft can be retrieved at: > ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt > > > > ============================================================== > end > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec