Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS

Tobias Gondrom <tobias.gondrom@gondrom.org> Sun, 11 March 2012 01:07 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0348F21F854D for <websec@ietfa.amsl.com>; Sat, 10 Mar 2012 17:07:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.778
X-Spam-Level:
X-Spam-Status: No, score=-96.778 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4qxwEy06Ld9 for <websec@ietfa.amsl.com>; Sat, 10 Mar 2012 17:07:36 -0800 (PST)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id DEC8821F8545 for <websec@ietf.org>; Sat, 10 Mar 2012 17:07:35 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=LQGxCgW6VdL5WILzo1CdDXkEPs0nUS6wD/ZZBLqZ/ceV9226pmoy+41BKnVfNJhQBih667Z5ul5dKI5xQLALv6Ut9AwZKd4CIMIX9nWtDZWt2xvKpVon+CXpN/VAtyKP; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 5507 invoked from network); 11 Mar 2012 02:07:30 +0100
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 11 Mar 2012 02:07:30 +0100
Message-ID: <4F5BFAD1.6080804@gondrom.org>
Date: Sun, 11 Mar 2012 01:07:29 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: websec@ietf.org
References: <4F5A780E.6000208@KingsMountain.com>
In-Reply-To: <4F5A780E.6000208@KingsMountain.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2012 01:07:37 -0000

Hi Jeff,

thank you very much for posting the update.

I like the new version and think we are getting close.

<hat="individual">

A few comments that would not interfere with WGLC. Mostly editorial 
(spelling stuff), but also two technical comments at the end of this 
email. The first technical is easy, the second technical comment may be 
more an issue and may need adding one paragraph to specify behaviour in 
the described case. (If it's not already there and I just missed it.)

editorial:
- Section 1:
-- in the next version please remove the line " [ Please discuss this 
draft on the WebSec@ietf.org mailing list [WEBSEC]. ]"
-- in first paragraph, is the link to informative reference 
[I-D.ietf-tls-ssl-version3] the best we can get, as it is a long expired 
I-D?

- Section 2.4.1.1
-- s/3.UAs need to persistently remember web sites that signal strict 
security policy enablement, for a web site declared time span./3.UAs 
need to persistently remember web sites that signal strict security 
policy enablement, for a by the web site declared time span.

- Section 3:
-- s/Note:  ..is a note to the reader.  These are points that should be 
expressly kept in mind and/or considered./Note: This is a note to the 
reader.  These are points that should be expressly kept in mind and/or 
considered.

- Section 5:
-- [with this one I am not 100% sure]
s/An HSTS Host conveys its HSTS Policy to UAs, only over secure 
transport (e.g., TLS), via the Strict-Transport-Security HTTP response 
header field./An HSTS Host conveys its HSTS Policy to UAs only over 
secure transport (e.g., TLS) via the Strict-Transport-Security HTTP 
response header field.

- Section 6:
-- s/This section defines the syntax of the new header this 
specification introduces. It also provides a short description of the 
function the header./This section defines the syntax of the new header 
as introduced by this specification. It also provides a short 
description of the function of the header.
-- s/The Section 7 "Server Processing Model" section details/The Section 
7 "Server Processing Model" details
--s/Likewise, the Section 8 "User Agent Processing Model" section 
details/Likewise, the Section 8 "User Agent Processing Model" details

- Section 6.1, last paragraph:
-- s/Additional directives extending the the semantic functionality of 
the/Additional directives extending the semantic functionality of the

- Section 61.1.
-- s/see also Section 8.1.1 "Noting a HSTS Host", below/see also Section 
8.1.1 "Noting a HSTS Host" below

- Section 8.1.2, point 1
-- s/and ignoring separator characters (see clause 3.1(4) of 
[RFC3986]./and ignoring separator characters (see clause 3.1(4) of 
[RFC3986]).
-- what do you mean by clause 3.1(4) of RFC3986?

- Section 8.3
-- s/(e.g., certificate errors)/(e.g. certificate errors)

- Section 8.5:
-- s/until the max-age value for the knowledge that Known HSTS Host is 
reached./until the max-age value for the knowledge of that Known HSTS 
Host is reached.
-- s/Note that the max age could be infinite for a given Known HSTS 
Host./Note that the max-age value could be infinite for a given Known 
HSTS Host.

- Section 12.2 title:
-- s/Determining the Effective Requrest URI/Determining the Effective 
Request URI

- Section 12.2.1 title:
-- s/Effective Requrest URI Examples/Effective Request URI Examples

- Appendix B, last paragraph:
-- s/In summary, although both HSTS Policy and SOP are enforced by by 
UAs,/In summary, although both HSTS Policy and SOP are enforced by UAs,


And two technical COMMENTS:
- Section 5, paragraph 2:
"Receipt of this header field signals to UAs to enforce the HSTS Policy 
for all subsequent secure transport connections made to the HSTS Host, 
for a specified time duration."
Actually the UA must enforce this for all subsequent transport 
connections be them secure or non-secure (i.e. if they are non-secure 
the scheme MUST be changed to secure (http->https)).

- it seems we have missed to specify one scenario:
The case is the following: A UA notes a superdomain e.g. example.com as 
a Known HSTS Host, with "includeSubDomains". Then after that the UA also 
receives a HSTS header from subdomain foo.example.com (with or without 
"includeSubDomains") and new max-age (longer or shorter time).
The point is in that case the HSTS timer of the superdomain 
(example.com) MUST NOT be changed (extended or shortened) to the timer 
used in the subdomain.
In fact the UA MUST keep both timers in cache independently and if at 
some point either one of them is removed (be due to expiry or because of 
an update setting max-age=0), the second remaining HSTS value MUST still 
be kept intact and applied. This is mainly to prevent that a subdomain 
can invalidate the HSTS flag of the superdomain or make it expire and 
vice versa.

Best regards, Tobias


On 09/03/12 21:37, =JeffH wrote:
> As far as I know, draft-ietf-websec-strict-transport-sec-05 is ready 
> for WG Last Call.
>
> =JeffH
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec