Re: [websec] Issue #41 add parameter indicating whether to hardfail or not
"Steingruebl, Andy" <asteingruebl@paypal-inc.com> Fri, 29 June 2012 16:45 UTC
Return-Path: <asteingruebl@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A9221F87CB for <websec@ietfa.amsl.com>; Fri, 29 Jun 2012 09:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Level:
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AatPJFCQIlis for <websec@ietfa.amsl.com>; Fri, 29 Jun 2012 09:45:49 -0700 (PDT)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by ietfa.amsl.com (Postfix) with ESMTP id 83A8321F87C0 for <websec@ietf.org>; Fri, 29 Jun 2012 09:45:39 -0700 (PDT)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=T7W4IBv4PxHlSaDoWloxDncgfLsaZzxGrmBAxf8IUmOHhf08JyUphR9N 0c4/HKN7NtmTY4PZEsqinZJLKAa/jmt9PoTAEuGMajqG5k8HVuHd9UBIV 60BMvZAMLzU0TGj;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=asteingruebl@paypal-inc.com; q=dns/txt; s=ppinc; t=1340988339; x=1372524339; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=TwkpmLY05OEi0HqEOeGzn8fpbiVyiv/FXnjDLj4G8tE=; b=SYqgHFcgACoFhzJrGASJYt01yrGdTzGDob+YuEBNftmvn0Fr01462KR4 tMwYYRsd+Ho6jmcC6lbYdel5dCXlH4UY4dMN6/jxk3+9F0jiFu29N/hrv cwbJ6EbWsgYUjPM;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.77,498,1336374000"; d="scan'208";a="8391682"
Received: from den-vtenf-002.corp.ebay.com (HELO DEN-EXMHT-003.corp.ebay.com) ([10.101.112.213]) by den-mipot-001.corp.ebay.com with ESMTP; 29 Jun 2012 09:45:38 -0700
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-003.corp.ebay.com ([fe80::55d3:9d86:3fc8:dbf4%14]) with mapi id 14.02.0298.004; Fri, 29 Jun 2012 10:45:00 -0600
From: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Thread-Topic: [websec] Issue #41 add parameter indicating whether to hardfail or not
Thread-Index: AQHNVhPrj0PSF/XP90aTde9APV917ZcRf6lQ
Date: Fri, 29 Jun 2012 16:45:00 +0000
Message-ID: <1DFCCAFE421024488073B74EEA0173E1171F86@DEN-EXDDA-S12.corp.ebay.com>
References: <4FD6E91B.2000602@KingsMountain.com> <CABcZeBM_PLDaU_MPYad9sEtKpTsR8V2naT5WjDOEccu6eyKGMg@mail.gmail.com> <1DFCCAFE421024488073B74EEA0173E1170859@DEN-EXDDA-S12.corp.ebay.com> <4FEDD6D6.3070803@isode.com>
In-Reply-To: <4FEDD6D6.3070803@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.241.19.245]
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: iAWF6aytdvla/uPP3X/K1A==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Issue #41 add parameter indicating whether to hardfail or not
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 16:45:50 -0000
> -----Original Message----- > From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] > > Maybe this is not a good example, but I am thinking that something like > OCSP retrieval failing on the client side is not something that would > show up in the webserver logs. Sure, but doesn't the OCSP site know whether it has set HSTS? > > There is however "I am testing DKIM" flag published in DNS. Yep, but here you may not know all your sources of email, all of the domains, senders, etc. you could have an outsourcer sending mail on your behalf that you don't know about, haven't inventoried, etc. For HSTS that can't be the case. For HSTS you do know exactly what domain/host you're applying HSTS to. You don't necessarily know all of the inbound links, but you don't know that before HSTS an so you watch your weblogs for 404's for example to see typo'd links, inbound errors, etc. My contention is we already have this problem solved, and don't need a testing mode for it like this as there aren't any cases where the browser won't at least try to connect, and you can have an endpoint there ready/willing/able to listen to the request that is made. If nothing else you could put up a packet sniffer. - Andy
- Re: [websec] Issue #41 add parameter indicating w… =JeffH
- [websec] Comments on "I am testing HSTS"-directiv… Tobias Gondrom
- [websec] "This site is testing HSTS" directive (w… Alexey Melnikov
- Re: [websec] Issue #41 add parameter indicating w… Eric Rescorla
- Re: [websec] Issue #41 add parameter indicating w… Steingruebl, Andy
- Re: [websec] Issue #41 add parameter indicating w… Alexey Melnikov
- Re: [websec] Issue #41 add parameter indicating w… Steingruebl, Andy
- Re: [websec] Issue #41 add parameter indicating w… Eric Rescorla
- Re: [websec] Issue #41 add parameter indicating w… Alexey Melnikov
- Re: [websec] Issue #41 add parameter indicating w… Adam Barth