Re: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 04 May 2012 08:47 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57CC21F846E for <websec@ietfa.amsl.com>; Fri, 4 May 2012 01:47:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.115
X-Spam-Level:
X-Spam-Status: No, score=-101.115 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3D1d9jF4eHHG for <websec@ietfa.amsl.com>; Fri, 4 May 2012 01:47:18 -0700 (PDT)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 00B5321F846A for <websec@ietf.org>; Fri, 4 May 2012 01:47:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1336121236; d=isode.com; s=selector; i=@isode.com; bh=KgZEub58QpcfZrMYZeTda6MVz/9Zof4rdYknyBmHDJ4=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=CALWXEr2W5SQhsTw1Yw1YV+It5fwtj2J2A0djH4u/FkUsp05kX5yYQd8/CzrYTPcScTlqJ bHyYS3BnEhQ5Ad8zz5WvuPSlLwlJuUyHxDLBT5hfojySlr7zxfSUPaaYAqY3Y8xiErDkT2 zq44RmoG/dBq22WvHEALNz2SMIjsWQs=;
Received: from [188.29.197.176] (188.29.197.176.threembb.co.uk [188.29.197.176]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T6OXkgB=gzLI@rufus.isode.com>; Fri, 4 May 2012 09:47:16 +0100
References: <4FA18EF1.9040206@KingsMountain.com> <4FA2DF3B.7000506@stpeter.im>
In-Reply-To: <4FA2DF3B.7000506@stpeter.im>
Message-Id: <8E815A59-6F8C-404B-B88C-E8C7CFA1CB1C@isode.com>
X-Mailer: iPad Mail (9B176)
From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Fri, 4 May 2012 09:47:09 +0100
To: Peter Saint-Andre <stpeter@stpeter.im>, =JeffH <Jeff.Hodges@KingsMountain.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 08:47:21 -0000

On 3 May 2012, at 20:40, Peter Saint-Andre <stpeter@stpeter.im>; wrote:

> On 5/2/12 1:45 PM, =JeffH wrote:
> 
>>> 13.  Internationalized Domain Names for Applications (IDNA): Dependency
>>>      and Migration
>>> 
>>>    IDNA2008 obsoletes IDNA2003, but there are differences between the
>>>    two specifications, and thus there can be differences in processing
>>>    (e.g., converting) domain name labels that have been registered under
>>>    one from those registered under the other.  There will be a
>>>    transition period of some time during which IDNA2003-based domain
>>>    name labels will exist in the wild.  User agents SHOULD implement
>>>    IDNA2008 [RFC5890] and MAY implement [RFC5895] (see also Section 7 of
>>>    [RFC5894]) or [UTS46] in order to facilitate their IDNA transition.
>>> 
>>> I might be kicking a dead horse here, but MAY sounds a bit weak.
>>> I especially dislike having the choice between 2 incompatible specs,
>>> I think this might cause some interop problems.
>> 
>> As far as I can tell, having had fairly extensive discussions with IDNA
>> folk both privately and on various lists such as idna-update@, the above
>> relects the the unfortunate state of the world at this time. For
>> instance, Pete Resnick signed off on the language in the spec in this
>> message to websec@...
>> 
>> Re: [websec] wrt IDN processing-related security considerations for
>> draft-ietf-websec-strict-transport-sec
>> https://www.ietf.org/mail-archive/web/websec/current/msg01015.html
>> 
>> we should probably fork off any further discussion on this topic to that
>> thread.
> 
> Unfortunately, I think the text that Jeff produced is about the best
> we're going to do 

We are setting ourselves up for some interop problems. We should bite the bullet and through RFC 5894 or UTS 46 out.