Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS
Tobias Gondrom <tobias.gondrom@gondrom.org> Sun, 11 March 2012 01:07 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0348F21F854D for <websec@ietfa.amsl.com>; Sat, 10 Mar 2012 17:07:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.778
X-Spam-Level:
X-Spam-Status: No, score=-96.778 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4qxwEy06Ld9 for <websec@ietfa.amsl.com>; Sat, 10 Mar 2012 17:07:36 -0800 (PST)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id DEC8821F8545 for <websec@ietf.org>; Sat, 10 Mar 2012 17:07:35 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=LQGxCgW6VdL5WILzo1CdDXkEPs0nUS6wD/ZZBLqZ/ceV9226pmoy+41BKnVfNJhQBih667Z5ul5dKI5xQLALv6Ut9AwZKd4CIMIX9nWtDZWt2xvKpVon+CXpN/VAtyKP; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 5507 invoked from network); 11 Mar 2012 02:07:30 +0100
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 11 Mar 2012 02:07:30 +0100
Message-ID: <4F5BFAD1.6080804@gondrom.org>
Date: Sun, 11 Mar 2012 01:07:29 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: websec@ietf.org
References: <4F5A780E.6000208@KingsMountain.com>
In-Reply-To: <4F5A780E.6000208@KingsMountain.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2012 01:07:37 -0000
Hi Jeff, thank you very much for posting the update. I like the new version and think we are getting close. <hat="individual"> A few comments that would not interfere with WGLC. Mostly editorial (spelling stuff), but also two technical comments at the end of this email. The first technical is easy, the second technical comment may be more an issue and may need adding one paragraph to specify behaviour in the described case. (If it's not already there and I just missed it.) editorial: - Section 1: -- in the next version please remove the line " [ Please discuss this draft on the WebSec@ietf.org mailing list [WEBSEC]. ]" -- in first paragraph, is the link to informative reference [I-D.ietf-tls-ssl-version3] the best we can get, as it is a long expired I-D? - Section 2.4.1.1 -- s/3.UAs need to persistently remember web sites that signal strict security policy enablement, for a web site declared time span./3.UAs need to persistently remember web sites that signal strict security policy enablement, for a by the web site declared time span. - Section 3: -- s/Note: ..is a note to the reader. These are points that should be expressly kept in mind and/or considered./Note: This is a note to the reader. These are points that should be expressly kept in mind and/or considered. - Section 5: -- [with this one I am not 100% sure] s/An HSTS Host conveys its HSTS Policy to UAs, only over secure transport (e.g., TLS), via the Strict-Transport-Security HTTP response header field./An HSTS Host conveys its HSTS Policy to UAs only over secure transport (e.g., TLS) via the Strict-Transport-Security HTTP response header field. - Section 6: -- s/This section defines the syntax of the new header this specification introduces. It also provides a short description of the function the header./This section defines the syntax of the new header as introduced by this specification. It also provides a short description of the function of the header. -- s/The Section 7 "Server Processing Model" section details/The Section 7 "Server Processing Model" details --s/Likewise, the Section 8 "User Agent Processing Model" section details/Likewise, the Section 8 "User Agent Processing Model" details - Section 6.1, last paragraph: -- s/Additional directives extending the the semantic functionality of the/Additional directives extending the semantic functionality of the - Section 61.1. -- s/see also Section 8.1.1 "Noting a HSTS Host", below/see also Section 8.1.1 "Noting a HSTS Host" below - Section 8.1.2, point 1 -- s/and ignoring separator characters (see clause 3.1(4) of [RFC3986]./and ignoring separator characters (see clause 3.1(4) of [RFC3986]). -- what do you mean by clause 3.1(4) of RFC3986? - Section 8.3 -- s/(e.g., certificate errors)/(e.g. certificate errors) - Section 8.5: -- s/until the max-age value for the knowledge that Known HSTS Host is reached./until the max-age value for the knowledge of that Known HSTS Host is reached. -- s/Note that the max age could be infinite for a given Known HSTS Host./Note that the max-age value could be infinite for a given Known HSTS Host. - Section 12.2 title: -- s/Determining the Effective Requrest URI/Determining the Effective Request URI - Section 12.2.1 title: -- s/Effective Requrest URI Examples/Effective Request URI Examples - Appendix B, last paragraph: -- s/In summary, although both HSTS Policy and SOP are enforced by by UAs,/In summary, although both HSTS Policy and SOP are enforced by UAs, And two technical COMMENTS: - Section 5, paragraph 2: "Receipt of this header field signals to UAs to enforce the HSTS Policy for all subsequent secure transport connections made to the HSTS Host, for a specified time duration." Actually the UA must enforce this for all subsequent transport connections be them secure or non-secure (i.e. if they are non-secure the scheme MUST be changed to secure (http->https)). - it seems we have missed to specify one scenario: The case is the following: A UA notes a superdomain e.g. example.com as a Known HSTS Host, with "includeSubDomains". Then after that the UA also receives a HSTS header from subdomain foo.example.com (with or without "includeSubDomains") and new max-age (longer or shorter time). The point is in that case the HSTS timer of the superdomain (example.com) MUST NOT be changed (extended or shortened) to the timer used in the subdomain. In fact the UA MUST keep both timers in cache independently and if at some point either one of them is removed (be due to expiry or because of an update setting max-age=0), the second remaining HSTS value MUST still be kept intact and applied. This is mainly to prevent that a subdomain can invalidate the HSTS flag of the superdomain or make it expire and vice versa. Best regards, Tobias On 09/03/12 21:37, =JeffH wrote: > As far as I know, draft-ietf-websec-strict-transport-sec-05 is ready > for WG Last Call. > > =JeffH > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec