IETF Logo Mail Archive

Re: [websec] Well-known URIs

Yoav Nir <ynir@checkpoint.com> Thu, 08 August 2013 20:27 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF66211E8200 for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:27:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.514
X-Spam-Level:
X-Spam-Status: No, score=-10.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QA9IZ20Bj6+B for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:27:32 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 7DF0121F9C72 for <websec@ietf.org>; Thu, 8 Aug 2013 13:27:32 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r78KRSqO026957; Thu, 8 Aug 2013 23:27:28 +0300
X-CheckPoint: {5203FF30-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Thu, 8 Aug 2013 23:27:26 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Chris Palmer <palmer@google.com>
Thread-Topic: [websec] Well-known URIs
Thread-Index: AQHOlFgB2fNLbEWVFkSgl8GkYD3KkJmLgOoAgAAPfoA=
Date: Thu, 08 Aug 2013 20:27:26 +0000
Message-ID: <F14E3D10-FF63-4F0D-8BA4-11B9A1A42012@checkpoint.com>
References: <4CF90F65-62CE-4AE0-9113-932F93A98782@mnot.net> <CAOuvq21cUqt-cXNM5xnektO-0yJq-gvXa5xoEREz26vTQiTFAA@mail.gmail.com>
In-Reply-To: <CAOuvq21cUqt-cXNM5xnektO-0yJq-gvXa5xoEREz26vTQiTFAA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.237]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11f42b9a8d2aff8f29b6775ee0d419e64a417f8d02
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5F0CEED104D2D240AA979EA240CFA19F@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Mark Nottingham <mnot@mnot.net>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Well-known URIs
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 20:27:38 -0000

Hi Chris

On Aug 8, 2013, at 10:31 PM, Chris Palmer <palmer@google.com> wrote:

> On Thu, Aug 8, 2013 at 5:35 AM, Mark Nottingham <mnot@mnot.net> wrote:
> 
>> 1. Well-known URIs are designed for cases where the client wants to get a bunch of *related* data together; as such, a general framework is encouraged, as long as the use cases are similar.
>> 
>> This is why I don't like hostmeta; it's a bucket for anything you want to throw in there, which means that over time, the client will be getting a lot of information they don't want, which will necessitate a query language, which is just nasty overkill. At the other end of the spectrum, having a single-use well-known URI in the critical path (or even not) for a browser is similarly Not A Good Idea.
> 
> Can you say clearly what else we should stuff into the W-K URI for
> HPKP? What other working groups and standards bodies are we going to
> have to reach consensus with?

The answer to those questions is "nothing" and "none".

let's assume the format is JSON, we could call the resource https://www.example.com/.well-known/TransportSecurity.json , and it could be formatted like this:
{
    "HPKP": {
        "max_age": 2592000,
	"include_subdomains": "false",
	"pins": [
            {
                "alg": "sha1"
                "hash": "aQWqfl0MQRwcM+3uffZ08Rttods="
            },
            {
                "alg": "sha256"
                "hash": "Lbl5D9eR4PLiaOUSeO6sue2QrSvpB31F4mte/4D75xM="
            },
        ]
    }
}

Then if someone wants to add HSTS into this, they're welcome to it, but they'll need their own document to do it.

Yoav

v2.23.0 | Report a Bug | By Email