Re: [websec] #4: Clarify that HSTS policy applies to entire host (all ports)
"websec issue tracker" <trac+websec@trac.tools.ietf.org> Fri, 08 July 2011 22:20 UTC
Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99DE21F8C53 for <websec@ietfa.amsl.com>; Fri, 8 Jul 2011 15:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqNrQ1tF0PZ5 for <websec@ietfa.amsl.com>; Fri, 8 Jul 2011 15:20:58 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id DA4C721F8C4A for <websec@ietf.org>; Fri, 8 Jul 2011 15:20:58 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1QfJPu-0008DC-PH; Fri, 08 Jul 2011 15:20:58 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: websec issue tracker <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: jeff.hodges@kingsmountain.com
X-Trac-Project: websec
Date: Fri, 08 Jul 2011 22:20:58 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/4#comment:2
Message-ID: <079.7495dcaebb7f7d3570e7bfa0fa23ecae@trac.tools.ietf.org>
References: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org>
X-Trac-Ticket-ID: 4
In-Reply-To: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: websec@ietf.org
Subject: Re: [websec] #4: Clarify that HSTS policy applies to entire host (all ports)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2011 22:20:59 -0000
#4: Clarify that HSTS policy applies to entire host (all ports) Comment(by jeff.hodges@…): http://www.ietf.org/mail-archive/web/websec/current/msg00041.html Subject: [websec] HSTS -- what about ports? From: Daniel Veditz <dveditz@mozilla.com> Date: Sat, 20 Nov 2010 22:29:48 -0800 To: websec@ietf.org The HSTS spec needs to be more clear about how to handle multiple servers running on different ports on the same host. I think, by referring to host name matching only, that the intent of the spec is that a server running on any port can set HSTS behavior for every other port on that host. If this is correct it might be clearer to rename "HSTS Server" to "HSTS Host" and to somewhere in the spec mention explicitly that the port is ignored when matching host names. An alternate behavior would be that a server running on port X only specifies the behavior for that port, with a special case for the default ports 80/443 because they go unspecified. This would make sense from a security POV only if cookies were port-specific (with again a special case for the unspecified default ports), but I don't believe any browser implements cookies in that way. Handling HSTS in a port-specific manner also complicates the meaning of includeSubDomains. ### -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/4#comment:2> websec <http://tools.ietf.org/websec/>
- [websec] #4: Clarify that HSTS policy applies to … websec issue tracker
- Re: [websec] #4: Clarify that HSTS policy applies… websec issue tracker
- Re: [websec] #4: Clarify that HSTS policy applies… websec issue tracker
- Re: [websec] #4: Clarify that HSTS policy applies… websec issue tracker