Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-05

Tobias Gondrom <tobias.gondrom@gondrom.org> Sun, 11 March 2012 16:48 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A0B521F87BC for <websec@ietfa.amsl.com>; Sun, 11 Mar 2012 09:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.628
X-Spam-Level:
X-Spam-Status: No, score=-95.628 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, MANGLED_TOOL=2.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IId7W+6-9i3 for <websec@ietfa.amsl.com>; Sun, 11 Mar 2012 09:48:27 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 99F9321F8754 for <websec@ietf.org>; Sun, 11 Mar 2012 09:48:26 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=M6lk+qucGY0p0sSxax4WXnwvxIbt9rLZh2ZmqVfT7NM6TeLcTkC5H+P8Hy2O0moPAS5zCdi8PTBZhKz5nPKFjF+6+Tc/boMTMYaL1bH24VDei9Milef0rg2bdZRydkZP; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 22054 invoked from network); 11 Mar 2012 17:48:07 +0100
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 11 Mar 2012 17:48:07 +0100
Message-ID: <4F5CD747.2090600@gondrom.org>
Date: Sun, 11 Mar 2012 16:48:07 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: websec@ietf.org
References: <4F5A720D.8040106@KingsMountain.com>
In-Reply-To: <4F5A720D.8040106@KingsMountain.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-05
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2012 16:48:28 -0000

Hi Jeff,

<hat="individual">
thanks. Went through the list of all tickets 1-36 and can confirm that 
IMHO all have been addressed sufficiently.

Best regards, Tobias


On 09/03/12 21:11, =JeffH wrote:
> New rev:
> http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt 
>
>
> With this rev, all issue tickets are now nominally addressed. Full 
> change log
> below, and full -04 announcement message at end.
>
> Changes from -04 to -05 address: 33, 36
>
> Changes from -03 to -04 address: 13, 14, 27, 28, 29, 30, 31, 32, 33, 34,
>                                   35, 36
>
> Changes from -02 to -03 address: 14, 26, 27
>
> Changes from -01 to -02 address: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
>
>
> full issue ticket list for strict-transport-sec:
> <http://trac.tools.ietf.org/wg/websec/trac/query?status=assigned&status=closed&status=new&status=reopened&component=strict-transport-sec&order=id> 
>
>
> Diff from previous version:
> http://tools.ietf.org/rfcdiff?url2=draft-ietf-websec-strict-transport-sec-05 
>
>
> =JeffH
>
>
> ==============================================================
>
> Appendix D.  Change Log
>
>    [RFCEditor: please remove this section upon publication as an RFC.]
>
>    Changes are grouped by spec revision listed in reverse issuance
>    order.
>
> D.1.  For draft-ietf-websec-strict-transport-sec
>
>       Changes from -04 to -05:
>
>       1.  Fixed up references to move certain ones back to the normative
>           section -- as requested by Alexey M. Added explanation for
>           referencing obsoleted [RFC3490] and [RFC3492].  This addresses
>           issue ticket #36.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/36>
>
>       2.  Made minor change to Strict-Transport-Security header field
>           ABNF in order to address further feedback as appended to
>           ticket #33.  This addresses issue ticket #33.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/33>
>
>       Changes from -03 to -04:
>
>       1.   Clarified that max-age=0 will cause UA to forget a known HSTS
>            host, and more generally clarified that the "freshest" info
>            from the HSTS host is cached, and thus HSTS hosts are able to
>            alter the cached max-age in UAs.  This addresses issue ticket
>            #13. <http://trac.tools.ietf.org/wg/websec/trac/ticket/13>
>
>       2.   Updated section on "Constructing an Effective Request URI" to
>            remove remaining reference to RFC3986 and reference RFC2616
>            instead.  Further addresses issue ticket #14.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/14>
>
>       3.   Addresses further ABNF issues noted in comment:1 of issue
>            ticket #27. <http://trac.tools.ietf.org/wg/websec/trac/
>            ticket/27#comment:1>
>
>       4.   Reworked the introduction to clarify the denotation of "HSTS
>            policy" and added the new Appendix B summarizing the primary
>            characteristics of HSTS Policy and Same-Origin Policy, and
>            identifying their differences.  Added ref to [RFC4732].  This
>            addresses issue ticket #28.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/28>
>
>       5.   Reworked language in Section 2.3.1.3. wrt "mixed content",
>            more clearly explain such vulnerability, disambiguate "mixed
>            content" in web security context from its usage in markup
>            language context.  This addresses issue ticket #29.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/29>
>
>       6.   Expanded Denial of Service discussion in Security
>            Considerations.  Added refs to [RFC4732] and [CWE-113].  This
>            addresses issue ticket #30.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/30>
>
>       7.   Mentioned in prose the case-insensitivity of directive names.
>            This addresses issue ticket #31.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/31>
>
>       8.   Added Section 10.3 "Implications of includeSubDomains".  This
>            addresses issue ticket #32.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/32>
>
>       9.   Further refines text and ABNF definitions of STS header field
>            directives.  Retains use of quoted-string in directive
>            grammar.  This addresses issue ticket #33.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/33>
>
>       10.  Added Section 14.7 "Creative Manipulation of HSTS Policy
>            Store", including reference to [WebTracking].  This addresses
>            issue ticket #34.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/34>
>
>       11.  Added Section 14.1 "Ramifications of HSTS Policy
>            Establishment only over Error-free Secure Transport" and made
>            some accompanying editorial fixes in some other sections.
>            This addresses issue ticket #35.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/35>
>
>
>
> Hodges, et al.         Expires September 10, 2012              [Page 38]
> 
> Internet-Draft    HTTP Strict Transport Security (HSTS)       March 2012
>
>
>       12.  Refined references.  Cleaned out un-used ones, updated to
>            latest RFCs for others, consigned many to Informational.
>            This addresses issue ticket #36.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/36>
>
>       13.  Fixed-up some inaccuracies in the "Changes from -02 to -03"
>            section.
>
>       Changes from -02 to -03:
>
>       1.  Updated section on "Constructing an Effective Request URI" to
>           remove references to RFC3986.  Addresses issue ticket #14.
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/14>
>
>       2.  Reference RFC5890 for IDNA, retaining subordinate refs to
>           RFC3490.  Updated IDNA-specific language, e.g. domain name
>           canonicalization and IDNA dependencies.  Addresses issue
>           ticket #26
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/26>.
>
>       3.  Completely re-wrote the STS header ABNF to be fully based on
>           RFC2616, rather than a hybrid of RFC2616 and httpbis.
>           Addresses issue ticket #27
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/27>.
>
>       Changes from -01 to -02:
>
>       1.   Updated Section 8.2 "URI Loading and Port Mapping" fairly
>            thoroughly in terms of refining the presentation of the
>            steps, and to ensure the various aspects of port mapping are
>            clear.  Nominally fixes issue ticket #1
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/1>
>
>       2.   Removed dependencies on
>            [I-D.draft-ietf-httpbis-p1-messaging-15].  Thus updated STS
>            ABNF in Section 6.1 "Strict-Transport-Security HTTP Response
>            Header Field" by lifting some productions entirely from
>            [I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging
>            [RFC2616].  Addresses issue ticket #2
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/2>.
>
>       3.   Updated Effective Request URI section and definition to use
>            language from [I-D.draft-ietf-httpbis-p1-messaging-15] and
>            ABNF from [RFC2616].  Fixes issue ticket #3
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/3>.
>
>       4.   Added explicit mention that the HSTS policy applies to all
>            TCP ports of a host advertising the HSTS policy.  Nominally
>            fixes issue ticket #4
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/4>
>
>       5.   Clarified the need for the "includeSubDomains" directive,
>            e.g. to protect Secure-flagged domain cookies.  In
>            Section 14.2 "The Need for includeSubDomains".  Nominally
>            fixes issue ticket #5
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/5>
>
>       6.   Cited Firesheep as real-live threat in Section 2.3.1.1
>            "Passive Network Attackers".  Nominally fixes issue ticket #6
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/6>.
>
>       7.   Added text to Section 11 "User Agent Implementation Advice"
>            justifying connection termination due to tls warnings/errors.
>            Nominally fixes issue ticket #7
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/7>.
>
>       8.   Added new subsection Section 8.5 "Interstitially Missing
>            Strict-Transport-Security Response Header Field".  Nominally
>            fixes issue ticket #8
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/8>.
>
>       9.   Added text to Section 8.3 "Errors in Secure Transport
>            Establishment" explicitly note revocation check failures as
>            errors causing connection termination.  Added references to
>            [RFC5280] and [RFC2560].  Nominally fixes issue ticket #9
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/9>.
>
>       10.  Added a sentence, noting that distributing specific end-
>            entity certificates to browsers will also work for self-
>            signed/private-CA cases, to Section 10 "Server Implementation
>            and Deployment Advice" Nominally fixes issue ticket #10
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/10>.
>
>       11.  Moved "with no user recourse" language from Section 8.3
>            "Errors in Secure Transport Establishment" to Section 11
>            "User Agent Implementation Advice".  This nominally fixes
>            issue ticket #11
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/11>.
>
>       12.  Removed any and all dependencies on
>            [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending
>            on [RFC2616] only.  Fixes issue ticket #12
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/12>.
>
>       13.  Removed the inline "XXX1" issue because no one had commented
>            on it and it seems reasonable to suggest as a SHOULD that web
>            apps should redirect incoming insecure connections to secure
>            connections.
>
>       14.  Removed the inline "XXX2" issue because it was simply for
>            raising consciousness about having some means for
>            distributing secure web application metadata.
>
>       15.  Removed "TODO1" because description prose for "max-age" in
>            the Note following the ABNF in Section 6 seems to be fine.
>
>       16.  Decided for "TODO2" that "the first STS header field wins".
>            TODO2 had read: "Decide UA behavior in face of encountering
>            multiple HSTS headers in a message.  Use first header?
>            Last?".  Removed TODO2.
>
>       17.  Added Section 1.1 "Organization of this specification" for
>            readers' convenience.
>
>       18.  Moved design decision notes to be a proper appendix
>            Appendix A.
>
>       Changes from -00 to -01:
>
>       1.  Changed the "URI Loading" section to be "URI Loading and Port
>           Mapping".
>
>       2.  [HASMAT] reference changed to [WEBSEC].
>
>       3.  Changed "server" -> "host" where applicable, notably when
>           discussing "HSTS Hosts".  Left as "server" when discussing
>           e.g. "http server"s.
>
>       4.  Fixed minor editorial nits.
>
>       Changes from draft-hodges-strict-transport-sec-02 to
>       draft-ietf-websec-strict-transport-sec-00:
>
>       1.  Altered spec metadata (e.g. filename, date) in order to submit
>           as a WebSec working group Internet-Draft.
>
> D.2.  For draft-hodges-strict-transport-sec
>
>       Changes from -01 to -02:
>
>       1.   updated abstract such that means for expressing HSTS Policy
>            other than via HSTS header field is noted.
>
>
>       2.   Changed spec title to "HTTP Strict Transport Security (HSTS)"
>            from "Strict Transport Security".  Updated use of "STS"
>            acronym throughout spec to HSTS (except for when specifically
>            discussing syntax of Strict-Transport-Security HTTP Response
>            Header field), updated "Terminology" appropriately.
>
>       3.   Updated the discussion of "Passive Network Attackers" to be
>            more precise and offered references.
>
>       4.   Removed para on nomative/non-normative from "Conformance
>            Criteria" pending polishing said section to IETF RFC norms.
>
>       5.   Added examples subsection to "Syntax" section.
>
>       6.   Added OWS to maxAge production in Strict-Transport-Security
>            ABNF.
>
>       7.   Cleaned up explanation in the "Note:" in the "HTTP-over-
>            Secure-Transport Request Type" section, folded 3d para into
>            "Note:", added conformance clauses to the latter.
>
>       8.   Added exaplanatory "Note:" and reference to "HTTP Request
>            Type" section.  Added "XXX1" issue.
>
>       9.   Added conformance clause to "URI Loading".
>
>       10.  Moved "Notes for STS Server implementors:" from "UA
>            Implementation dvice " to "HSTS Policy expiration time
>            considerations:" in "Server Implementation Advice", and also
>            noted another option.
>
>       11.  Added cautionary "Note:" to "Ability to delete UA's cached
>            HSTS Policy on a per HSTS Server basis".
>
>       12.  Added some informative references.
>
>       13.  Various minor editorial fixes.
>
>       Changes from -00 to -01:
>
>       1.  Added reference to HASMAT mailing list and request that this
>           spec be discussed there.
>
> ==============================================================
>
> Subject: [websec] I-D Action: 
> draft-ietf-websec-strict-transport-sec-05.txt
> From: internet-drafts@ietf.org
> Date: Fri, 09 Mar 2012 13:00:09 -0800
> To: i-d-announce@ietf.org
> Cc: websec@ietf.org
>
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories. This draft is a work item of the Web Security Working 
> Group of the IETF.
>
>     Title           : HTTP Strict Transport Security (HSTS)
>     Author(s)       : Jeff Hodges
>                           Collin Jackson
>                           Adam Barth
>     Filename        : draft-ietf-websec-strict-transport-sec-05.txt
>     Pages           : 43
>     Date            : 2012-03-09
>
>    This specification defines a mechanism enabling Web sites to declare
>    themselves accessible only via secure connections, and/or for users
>    to be able to direct their user agent(s) to interact with given sites
>    only over secure connections.  This overall policy is referred to as
>    HTTP Strict Transport Security (HSTS).  The policy is declared by Web
>    sites via the Strict-Transport-Security HTTP response header field,
>    and/or by other means, such as user agent configuration, for example.
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt 
>
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
> ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt 
>
>
>
> ==============================================================
> end
>
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec