[websec] #28: HSTS spec unclear about the denotation of "HSTS policy"

"websec issue tracker" <trac+websec@trac.tools.ietf.org> Tue, 15 November 2011 13:05 UTC

Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC87B21F8E18 for <websec@ietfa.amsl.com>; Tue, 15 Nov 2011 05:05:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o+yXG0p8ZQw5 for <websec@ietfa.amsl.com>; Tue, 15 Nov 2011 05:05:15 -0800 (PST)
Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB4721F8E17 for <websec@ietf.org>; Tue, 15 Nov 2011 05:05:15 -0800 (PST)
Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1RQIhL-0003IX-Tn; Tue, 15 Nov 2011 08:05:11 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: websec issue tracker <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.12.2
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.2, by Edgewall Software
To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com
X-Trac-Project: websec
Date: Tue, 15 Nov 2011 13:05:11 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/28
Message-ID: <070.3a39431f6b25ef97957a720cb34b8bc4@trac.tools.ietf.org>
X-Trac-Ticket-ID: 28
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false
Resent-To:
Resent-Message-Id: <20111115130515.6BB4721F8E17@ietfa.amsl.com>
Resent-Date: Tue, 15 Nov 2011 05:05:15 -0800
Resent-From: trac+websec@trac.tools.ietf.org
Cc: websec@ietf.org
Subject: [websec] #28: HSTS spec unclear about the denotation of "HSTS policy"
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 13:05:16 -0000

#28: HSTS spec unclear about the denotation of "HSTS policy"

 Strict-Transport-Security syntax and effective request URI def [StPeter]
 https://www.ietf.org/mail-archive/web/websec/current/msg00476.html


 The document is a bit unclear about the denotation of "HSTS policy".
 Sometimes it refers to the site's policy and sometimes to the overall
 recommendations defined in the spec.

    This specification also incorporates notions
    from [JacksonBarth2008] in that the HSTS policy is applied on an
    "entire-host" basis: it applies to all TCP ports on the host.
    Additionally, HSTS policy can be applied to the entire domain name
    subtree rooted at a given host name.  This enables HSTS to protect
    so-called "domain cookies", which are applied to all subdomains of a
    given domain.

 Perhaps it would be helpful to contrast the all ports and entire subtree
 principles with the same origin policy also being worked on in this WG,
 with an informational reference to the appropriate spec.

-- 
-------------------------+-------------------------------------------------
 Reporter:               |      Owner:  draft-ietf-websec-strict-transport-
  jeff.hodges@…          |  sec@…
     Type:  defect       |     Status:  new
 Priority:  minor        |  Milestone:
Component:  strict-      |    Version:
  transport-sec          |   Keywords:
 Severity:  -            |
-------------------------+-------------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/28>
websec <http://tools.ietf.org/websec/>