[websec] #41: add parameter indicating whether to hardfail or not

"websec issue tracker" <trac+websec@trac.tools.ietf.org> Mon, 26 March 2012 07:20 UTC

Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D4E821F846E for <websec@ietfa.amsl.com>; Mon, 26 Mar 2012 00:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k+8caDxZ8N5Q for <websec@ietfa.amsl.com>; Mon, 26 Mar 2012 00:20:27 -0700 (PDT)
Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 5FBD521F8493 for <websec@ietf.org>; Mon, 26 Mar 2012 00:20:27 -0700 (PDT)
Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1SC4E3-0006yn-WF; Mon, 26 Mar 2012 03:20:24 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: "websec issue tracker" <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.12.2
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.2, by Edgewall Software
To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com
X-Trac-Project: websec
Date: Mon, 26 Mar 2012 07:20:23 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/41
Message-ID: <070.d03fad09be18f8768e0c0b6b191f9c78@trac.tools.ietf.org>
X-Trac-Ticket-ID: 41
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false
Resent-To:
Resent-Message-Id: <20120326072027.5FBD521F8493@ietfa.amsl.com>
Resent-Date: Mon, 26 Mar 2012 00:20:27 -0700 (PDT)
Resent-From: trac+websec@trac.tools.ietf.org
Cc: websec@ietf.org
Subject: [websec] #41: add parameter indicating whether to hardfail or not
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2012 07:20:30 -0000

#41: add parameter indicating whether to hardfail or not

 https://www.ietf.org/mail-archive/web/websec/current/msg01093.html - yoav
 nir

 The significant:

 I have said this before, and was rejected by the group, so I'll raise this
 one last time here.
 Section 8.3 makes it a MUST-level requirement that any failure of the
 underlying secure transport. Section 11.1 clarifies that there should be
 no user recourse for this. This makes the cost of implementing
 unreasonably high, and significantly discourages trial roll-outs. Adding
 an HSTS header to your web site takes about 2 lines of configuration file
 in Apache. But doing so makes small errors like letting the certificate
 lapse or using links with a different FQDN cause hard failures. Both these
 sections do now state specifically what constitutes a failure, so it might
 be that the intention was not to include expirations. I think this should
 be clarified, but mismatched names obviously apply.
 I suggest that either we remove the no user recourse advice, or else add a
 "hardfail" directive. Roll out with "hardfail=no", and if people don't
 complain, change to "hardfail=yes"

-- 
-------------------------+-------------------------------------------------
 Reporter:               |      Owner:  draft-ietf-websec-strict-transport-
  jeff.hodges@…          |  sec@…
     Type:  enhancement  |     Status:  new
 Priority:  major        |  Milestone:
Component:  strict-      |    Version:
  transport-sec          |   Keywords:
 Severity:  In WG Last   |
  Call                   |
-------------------------+-------------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/41>
websec <http://tools.ietf.org/websec/>