IETF Logo Mail Archive

Re: [websec] DNS publication of HSTS and PKP header data using CAA

"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Wed, 08 April 2015 22:38 UTC

Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BAD01A90B1 for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 15:38:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXuUdUUiAYLg for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 15:38:58 -0700 (PDT)
Received: from homiemail-a103.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 493401A90AE for <websec@ietf.org>; Wed, 8 Apr 2015 15:38:58 -0700 (PDT)
Received: from homiemail-a103.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTP id 10E7B2005E62B; Wed, 8 Apr 2015 15:38:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=1/B0nd5B8RLTpIG2P1RCh7Pa2Go=; b=h4oxJBq4Lac9/i4FD zUCnIz3FVfpDfVW2stfp4H2heIYx9Jrv8yz6QZGZvyo6Rb+aNl7QIWDOWAnVSo2i XDuK/Opjn7M5w4d83LSq77IwAgJ30Tgjqd3UgFJ/sHSpspFY+rwaws50En1xHEIX qwUJcy9LGLYPI9m1QEfMBRgH20=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTPA id D0FAE2005E62A; Wed, 8 Apr 2015 15:38:57 -0700 (PDT)
Received: from 173.8.157.162 (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 8 Apr 2015 15:38:58 -0700
Message-ID: <10738ee1c985e6bd43ec26ae10cb5a16.squirrel@webmail.dreamhost.com>
In-Reply-To: <CAH8yC8=5BYCi9hRtUo8+dwFWgPanooQvVxwr1d0GPGUse2eJ+Q@mail.gmail.com>
References: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com> <CAH8yC8=5BYCi9hRtUo8+dwFWgPanooQvVxwr1d0GPGUse2eJ+Q@mail.gmail.com>
Date: Wed, 08 Apr 2015 15:38:58 -0700
From: Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
To: noloader@gmail.com
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/4JkcozqxMRvj9j09Lmj940IQi_0>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, websec <websec@ietf.org>
Subject: Re: [websec] DNS publication of HSTS and PKP header data using CAA
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 22:38:59 -0000

On Wed, April 8, 2015 3:18 pm, Jeffrey Walton wrote:
>  This is obviously predicated on an online app and DNS. Is there any
>  interest in Installable Web Apps delivered over a trusted distribution
>  channel?

That's a question for the W3C, not the IETF.

>  Installable Web Apps are simply web apps with a manifest that are
>  packaged and installed like more traditional apps. They still use the
>  same technologies, like HTML, CSS and JavaScript. The trusted
>  distribution channel ensures the app is not tampered during delivery.
>  The class of app is supported by both Firefox and Chrome.

The summary doesn't match what is supported, but that's a question for the
W3C.

>  In the case of installable apps, the information like HSTS and HPKP
>  can be placed in the app manifest. Even better, standards like HPKP
>  won't need to provide the override because its confused about which
>  pinset is the right one to use. Because the HSTS and HPKP information
>  was in the manifest during delivery, there will be no question about
>  which policy or key to use.

By "the override", I presume you mean "the ability for a duly authorized
user with administrative access over the machine they own to set policies
for the applications they install", which you've objected to in the past,
in which case, there's no reason at all to assume that the respect for a
user's wishes over that of the developer's would somehow be inverted.

The W3C is quite nice in spelling this out -
http://www.w3.org/TR/html-design-principles/#priority-of-constituencies


In either event, it sounds very much like a question for the W3C and the
format application manifests take and are extended, and nothing to do with
this WG.

v2.23.0 | Report a Bug | By Email