[websec] new rev: draft-ietf-websec-strict-transport-sec-05
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 09 March 2012 21:11 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4940321E8049 for <websec@ietfa.amsl.com>; Fri, 9 Mar 2012 13:11:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.982
X-Spam-Level:
X-Spam-Status: No, score=-98.982 tagged_above=-999 required=5 tests=[AWL=-0.787, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MANGLED_TOOL=2.3, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqBL7kxJ+xBq for <websec@ietfa.amsl.com>; Fri, 9 Mar 2012 13:11:52 -0800 (PST)
Received: from oproxy4-pub.bluehost.com (oproxy4.bluehost.com [IPv6:2605:dc00:100:2::a4]) by ietfa.amsl.com (Postfix) with SMTP id 0D8E921E803F for <websec@ietf.org>; Fri, 9 Mar 2012 13:11:51 -0800 (PST)
Received: (qmail 30173 invoked by uid 0); 9 Mar 2012 21:11:51 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 9 Mar 2012 21:11:51 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=btfAxEZvvDsG5FUwQOWZSxKQ7aAqCboGK8QoHQcCmls=; b=p6ibI+SzckFdUMt/ED8/5JF6EdCCh8Ryz3Aq0eBAwdacDkbnFFW8EiQhivJXnheD0krbHeETo0oAqR8NODTUzc4Ldq2yXj6PN+nRCLMis+4OI7TThmd4Il1xObNDLFJL;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.56]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1S676M-0005ei-Ds for websec@ietf.org; Fri, 09 Mar 2012 14:11:50 -0700
Message-ID: <4F5A720D.8040106@KingsMountain.com>
Date: Fri, 09 Mar 2012 13:11:41 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [websec] new rev: draft-ietf-websec-strict-transport-sec-05
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Mar 2012 21:11:53 -0000
New rev: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt With this rev, all issue tickets are now nominally addressed. Full change log below, and full -04 announcement message at end. Changes from -04 to -05 address: 33, 36 Changes from -03 to -04 address: 13, 14, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36 Changes from -02 to -03 address: 14, 26, 27 Changes from -01 to -02 address: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 full issue ticket list for strict-transport-sec: <http://trac.tools.ietf.org/wg/websec/trac/query?status=assigned&status=closed&status=new&status=reopened&component=strict-transport-sec&order=id> Diff from previous version: http://tools.ietf.org/rfcdiff?url2=draft-ietf-websec-strict-transport-sec-05 =JeffH ============================================================== Appendix D. Change Log [RFCEditor: please remove this section upon publication as an RFC.] Changes are grouped by spec revision listed in reverse issuance order. D.1. For draft-ietf-websec-strict-transport-sec Changes from -04 to -05: 1. Fixed up references to move certain ones back to the normative section -- as requested by Alexey M. Added explanation for referencing obsoleted [RFC3490] and [RFC3492]. This addresses issue ticket #36. <http://trac.tools.ietf.org/wg/websec/trac/ticket/36> 2. Made minor change to Strict-Transport-Security header field ABNF in order to address further feedback as appended to ticket #33. This addresses issue ticket #33. <http://trac.tools.ietf.org/wg/websec/trac/ticket/33> Changes from -03 to -04: 1. Clarified that max-age=0 will cause UA to forget a known HSTS host, and more generally clarified that the "freshest" info from the HSTS host is cached, and thus HSTS hosts are able to alter the cached max-age in UAs. This addresses issue ticket #13. <http://trac.tools.ietf.org/wg/websec/trac/ticket/13> 2. Updated section on "Constructing an Effective Request URI" to remove remaining reference to RFC3986 and reference RFC2616 instead. Further addresses issue ticket #14. <http://trac.tools.ietf.org/wg/websec/trac/ticket/14> 3. Addresses further ABNF issues noted in comment:1 of issue ticket #27. <http://trac.tools.ietf.org/wg/websec/trac/ ticket/27#comment:1> 4. Reworked the introduction to clarify the denotation of "HSTS policy" and added the new Appendix B summarizing the primary characteristics of HSTS Policy and Same-Origin Policy, and identifying their differences. Added ref to [RFC4732]. This addresses issue ticket #28. <http://trac.tools.ietf.org/wg/websec/trac/ticket/28> 5. Reworked language in Section 2.3.1.3. wrt "mixed content", more clearly explain such vulnerability, disambiguate "mixed content" in web security context from its usage in markup language context. This addresses issue ticket #29. <http://trac.tools.ietf.org/wg/websec/trac/ticket/29> 6. Expanded Denial of Service discussion in Security Considerations. Added refs to [RFC4732] and [CWE-113]. This addresses issue ticket #30. <http://trac.tools.ietf.org/wg/websec/trac/ticket/30> 7. Mentioned in prose the case-insensitivity of directive names. This addresses issue ticket #31. <http://trac.tools.ietf.org/wg/websec/trac/ticket/31> 8. Added Section 10.3 "Implications of includeSubDomains". This addresses issue ticket #32. <http://trac.tools.ietf.org/wg/websec/trac/ticket/32> 9. Further refines text and ABNF definitions of STS header field directives. Retains use of quoted-string in directive grammar. This addresses issue ticket #33. <http://trac.tools.ietf.org/wg/websec/trac/ticket/33> 10. Added Section 14.7 "Creative Manipulation of HSTS Policy Store", including reference to [WebTracking]. This addresses issue ticket #34. <http://trac.tools.ietf.org/wg/websec/trac/ticket/34> 11. Added Section 14.1 "Ramifications of HSTS Policy Establishment only over Error-free Secure Transport" and made some accompanying editorial fixes in some other sections. This addresses issue ticket #35. <http://trac.tools.ietf.org/wg/websec/trac/ticket/35> Hodges, et al. Expires September 10, 2012 [Page 38] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 12. Refined references. Cleaned out un-used ones, updated to latest RFCs for others, consigned many to Informational. This addresses issue ticket #36. <http://trac.tools.ietf.org/wg/websec/trac/ticket/36> 13. Fixed-up some inaccuracies in the "Changes from -02 to -03" section. Changes from -02 to -03: 1. Updated section on "Constructing an Effective Request URI" to remove references to RFC3986. Addresses issue ticket #14. <http://trac.tools.ietf.org/wg/websec/trac/ticket/14> 2. Reference RFC5890 for IDNA, retaining subordinate refs to RFC3490. Updated IDNA-specific language, e.g. domain name canonicalization and IDNA dependencies. Addresses issue ticket #26 <http://trac.tools.ietf.org/wg/websec/trac/ticket/26>. 3. Completely re-wrote the STS header ABNF to be fully based on RFC2616, rather than a hybrid of RFC2616 and httpbis. Addresses issue ticket #27 <http://trac.tools.ietf.org/wg/websec/trac/ticket/27>. Changes from -01 to -02: 1. Updated Section 8.2 "URI Loading and Port Mapping" fairly thoroughly in terms of refining the presentation of the steps, and to ensure the various aspects of port mapping are clear. Nominally fixes issue ticket #1 <http://trac.tools.ietf.org/wg/websec/trac/ticket/1> 2. Removed dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS ABNF in Section 6.1 "Strict-Transport-Security HTTP Response Header Field" by lifting some productions entirely from [I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging [RFC2616]. Addresses issue ticket #2 <http://trac.tools.ietf.org/wg/websec/trac/ticket/2>. 3. Updated Effective Request URI section and definition to use language from [I-D.draft-ietf-httpbis-p1-messaging-15] and ABNF from [RFC2616]. Fixes issue ticket #3 <http://trac.tools.ietf.org/wg/websec/trac/ticket/3>. 4. Added explicit mention that the HSTS policy applies to all TCP ports of a host advertising the HSTS policy. Nominally fixes issue ticket #4 <http://trac.tools.ietf.org/wg/websec/trac/ticket/4> 5. Clarified the need for the "includeSubDomains" directive, e.g. to protect Secure-flagged domain cookies. In Section 14.2 "The Need for includeSubDomains". Nominally fixes issue ticket #5 <http://trac.tools.ietf.org/wg/websec/trac/ticket/5> 6. Cited Firesheep as real-live threat in Section 2.3.1.1 "Passive Network Attackers". Nominally fixes issue ticket #6 <http://trac.tools.ietf.org/wg/websec/trac/ticket/6>. 7. Added text to Section 11 "User Agent Implementation Advice" justifying connection termination due to tls warnings/errors. Nominally fixes issue ticket #7 <http://trac.tools.ietf.org/wg/websec/trac/ticket/7>. 8. Added new subsection Section 8.5 "Interstitially Missing Strict-Transport-Security Response Header Field". Nominally fixes issue ticket #8 <http://trac.tools.ietf.org/wg/websec/trac/ticket/8>. 9. Added text to Section 8.3 "Errors in Secure Transport Establishment" explicitly note revocation check failures as errors causing connection termination. Added references to [RFC5280] and [RFC2560]. Nominally fixes issue ticket #9 <http://trac.tools.ietf.org/wg/websec/trac/ticket/9>. 10. Added a sentence, noting that distributing specific end- entity certificates to browsers will also work for self- signed/private-CA cases, to Section 10 "Server Implementation and Deployment Advice" Nominally fixes issue ticket #10 <http://trac.tools.ietf.org/wg/websec/trac/ticket/10>. 11. Moved "with no user recourse" language from Section 8.3 "Errors in Secure Transport Establishment" to Section 11 "User Agent Implementation Advice". This nominally fixes issue ticket #11 <http://trac.tools.ietf.org/wg/websec/trac/ticket/11>. 12. Removed any and all dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending on [RFC2616] only. Fixes issue ticket #12 <http://trac.tools.ietf.org/wg/websec/trac/ticket/12>. 13. Removed the inline "XXX1" issue because no one had commented on it and it seems reasonable to suggest as a SHOULD that web apps should redirect incoming insecure connections to secure connections. 14. Removed the inline "XXX2" issue because it was simply for raising consciousness about having some means for distributing secure web application metadata. 15. Removed "TODO1" because description prose for "max-age" in the Note following the ABNF in Section 6 seems to be fine. 16. Decided for "TODO2" that "the first STS header field wins". TODO2 had read: "Decide UA behavior in face of encountering multiple HSTS headers in a message. Use first header? Last?". Removed TODO2. 17. Added Section 1.1 "Organization of this specification" for readers' convenience. 18. Moved design decision notes to be a proper appendix Appendix A. Changes from -00 to -01: 1. Changed the "URI Loading" section to be "URI Loading and Port Mapping". 2. [HASMAT] reference changed to [WEBSEC]. 3. Changed "server" -> "host" where applicable, notably when discussing "HSTS Hosts". Left as "server" when discussing e.g. "http server"s. 4. Fixed minor editorial nits. Changes from draft-hodges-strict-transport-sec-02 to draft-ietf-websec-strict-transport-sec-00: 1. Altered spec metadata (e.g. filename, date) in order to submit as a WebSec working group Internet-Draft. D.2. For draft-hodges-strict-transport-sec Changes from -01 to -02: 1. updated abstract such that means for expressing HSTS Policy other than via HSTS header field is noted. 2. Changed spec title to "HTTP Strict Transport Security (HSTS)" from "Strict Transport Security". Updated use of "STS" acronym throughout spec to HSTS (except for when specifically discussing syntax of Strict-Transport-Security HTTP Response Header field), updated "Terminology" appropriately. 3. Updated the discussion of "Passive Network Attackers" to be more precise and offered references. 4. Removed para on nomative/non-normative from "Conformance Criteria" pending polishing said section to IETF RFC norms. 5. Added examples subsection to "Syntax" section. 6. Added OWS to maxAge production in Strict-Transport-Security ABNF. 7. Cleaned up explanation in the "Note:" in the "HTTP-over- Secure-Transport Request Type" section, folded 3d para into "Note:", added conformance clauses to the latter. 8. Added exaplanatory "Note:" and reference to "HTTP Request Type" section. Added "XXX1" issue. 9. Added conformance clause to "URI Loading". 10. Moved "Notes for STS Server implementors:" from "UA Implementation dvice " to "HSTS Policy expiration time considerations:" in "Server Implementation Advice", and also noted another option. 11. Added cautionary "Note:" to "Ability to delete UA's cached HSTS Policy on a per HSTS Server basis". 12. Added some informative references. 13. Various minor editorial fixes. Changes from -00 to -01: 1. Added reference to HASMAT mailing list and request that this spec be discussed there. ============================================================== Subject: [websec] I-D Action: draft-ietf-websec-strict-transport-sec-05.txt From: internet-drafts@ietf.org Date: Fri, 09 Mar 2012 13:00:09 -0800 To: i-d-announce@ietf.org Cc: websec@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : HTTP Strict Transport Security (HSTS) Author(s) : Jeff Hodges Collin Jackson Adam Barth Filename : draft-ietf-websec-strict-transport-sec-05.txt Pages : 43 Date : 2012-03-09 This specification defines a mechanism enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by Web sites via the Strict-Transport-Security HTTP response header field, and/or by other means, such as user agent configuration, for example. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt ============================================================== end