Re: [websec] [HSTS] Contradiction between sections 8.1 and 11.3 of RFC 6797?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 December 2014 21:24 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1A721A8746 for <websec@ietfa.amsl.com>; Tue, 30 Dec 2014 13:24:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pD_OONzwiMyE for <websec@ietfa.amsl.com>; Tue, 30 Dec 2014 13:24:07 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id C35721A873D for <websec@ietf.org>; Tue, 30 Dec 2014 13:24:07 -0800 (PST)
Received: from [10.70.10.88] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 9E08DF984; Tue, 30 Dec 2014 16:24:03 -0500 (EST)
Message-ID: <54A317F0.5030706@fifthhorseman.net>
Date: Tue, 30 Dec 2014 16:24:00 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Icedove/34.0
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, David Keeler <dkeeler@mozilla.com>
References: <20141217135659.GA4781@nic.fr> <5491DEAC.8040706@mozilla.com> <20141217203836.GA10001@laperouse.bortzmeyer.org>
In-Reply-To: <20141217203836.GA10001@laperouse.bortzmeyer.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/BlNiaAU3ccm_kQa30KmDCnp2DbA
Cc: collin.jackson@sv.cmu.edu, websec@ietf.org
Subject: Re: [websec] [HSTS] Contradiction between sections 8.1 and 11.3 of RFC 6797?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 21:24:09 -0000

On 12/17/2014 03:38 PM, Stephane Bortzmeyer wrote:
> On Wed, Dec 17, 2014 at 11:51:08AM -0800,
>  David Keeler <dkeeler@mozilla.com>; wrote 
>  a message of 47 lines which said:
> 
>> Section 11.3 is about when the user agent connects to a host that it
>> previously noted as using HSTS.
> 
> OK, so a example case with section 11.3 could be a server publishing a
> HSTS header while it has a recognized certificate and then later
> switching to a self-signed certificate. In that case, access would be
> denied. Am I correct?

Yes, this is a known consequence of using HSTS.

	--dkg