Re: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt

Peter Saint-Andre <stpeter@stpeter.im> Thu, 03 May 2012 19:40 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2DAD21F8531 for <websec@ietfa.amsl.com>; Thu, 3 May 2012 12:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TstHLqb7IlPY for <websec@ietfa.amsl.com>; Thu, 3 May 2012 12:40:45 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id E022D21F861C for <websec@ietf.org>; Thu, 3 May 2012 12:40:44 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 7AD2240058; Thu, 3 May 2012 13:55:46 -0600 (MDT)
Message-ID: <4FA2DF3B.7000506@stpeter.im>
Date: Thu, 03 May 2012 13:40:43 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4FA18EF1.9040206@KingsMountain.com>
In-Reply-To: <4FA18EF1.9040206@KingsMountain.com>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 19:40:46 -0000

On 5/2/12 1:45 PM, =JeffH wrote:

>> 13.  Internationalized Domain Names for Applications (IDNA): Dependency
>>       and Migration
>>
>>     IDNA2008 obsoletes IDNA2003, but there are differences between the
>>     two specifications, and thus there can be differences in processing
>>     (e.g., converting) domain name labels that have been registered under
>>     one from those registered under the other.  There will be a
>>     transition period of some time during which IDNA2003-based domain
>>     name labels will exist in the wild.  User agents SHOULD implement
>>     IDNA2008 [RFC5890] and MAY implement [RFC5895] (see also Section 7 of
>>     [RFC5894]) or [UTS46] in order to facilitate their IDNA transition.
>>
>> I might be kicking a dead horse here, but MAY sounds a bit weak.
>> I especially dislike having the choice between 2 incompatible specs,
>> I think this might cause some interop problems.
> 
> As far as I can tell, having had fairly extensive discussions with IDNA
> folk both privately and on various lists such as idna-update@, the above
> relects the the unfortunate state of the world at this time. For
> instance, Pete Resnick signed off on the language in the spec in this
> message to websec@...
> 
> Re: [websec] wrt IDN processing-related security considerations for
> draft-ietf-websec-strict-transport-sec
> https://www.ietf.org/mail-archive/web/websec/current/msg01015.html
> 
> we should probably fork off any further discussion on this topic to that
> thread.

Unfortunately, I think the text that Jeff produced is about the best
we're going to do right now.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/