Re: [websec] #60: Well Known URIs vs Response Headers
Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 01 August 2013 06:22 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A45E21F9B10 for <websec@ietfa.amsl.com>; Wed, 31 Jul 2013 23:22:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.124
X-Spam-Level:
X-Spam-Status: No, score=-96.124 tagged_above=-999 required=5 tests=[AWL=-0.762, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fn1YvRhMMVNE for <websec@ietfa.amsl.com>; Wed, 31 Jul 2013 23:22:45 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 59E1A21F9CE3 for <websec@ietf.org>; Wed, 31 Jul 2013 23:22:45 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=uMe58btTBkJXW5ZasBO13z99A9tO/p/w/XPLiVvLtt89AC+lVYVfk5tU5T8KzPoI/vRROGp9nocMvD5foNgwiwzyKjVGmbOLnfCbx9L4JKkma++QanMlHfWPh3dQHycg; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 31874 invoked from network); 1 Aug 2013 08:22:44 +0200
Received: from dhcp-461e.meeting.ietf.org (HELO ?130.129.70.30?) (130.129.70.30) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 1 Aug 2013 08:22:44 +0200
Message-ID: <51F9FEB3.90500@gondrom.org>
Date: Thu, 01 Aug 2013 08:22:43 +0200
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: palmer@google.com
References: <060.e0f8fef9b2d28177be54bca787fadd87@trac.tools.ietf.org> <FA4BC0F4-EEEB-485B-BF8E-A326F6BA86AE@checkpoint.com> <C68CB012D9182D408CED7B884F441D4D3472734AF4@nambxv01a.corp.adobe.com> <32D5F3CB-E742-4A9F-94A9-01B8224F9C49@checkpoint.com> <CAOe4Uim49-C5_gOSFVP6bc94B-Ey++9h3ZSEt=11CH9AvAztNQ@mail.gmail.com> <CAGZ8ZG12X8o_ha89+o1KrEjzkqdPNe3pLz8bss2jV2CEJ5Bazg@mail.gmail.com> <CAOuvq22q6HPnJebKNLLfqdY6tHce2Vw_xwgF6TxjM7-MqvLFjg@mail.gmail.com>
In-Reply-To: <CAOuvq22q6HPnJebKNLLfqdY6tHce2Vw_xwgF6TxjM7-MqvLFjg@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] #60: Well Known URIs vs Response Headers
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 06:22:50 -0000
On 01/08/13 02:53, Chris Palmer wrote: > On Wed, Jul 31, 2013 at 4:50 PM, Trevor Perrin <trevp@trevp.net> wrote: > >> I don't see why this would be a blocking load. I would expect it to >> be done in the background, so have no latency impact. > So are we supposed to send cookies (for example) to the server before > finishing the W-K URI load? > > If I completely rewrite HPKP to be a W-K URI I-D encompassing all of > HSTS, HPKP, and CSP (and what else?), does that actually have a chance > of flying? Or would it be a waste of everyone's time? Keep in mind > that including more people, including the authors of RFCs who think > their work is done, will make for a very slow and expensive process. <no hats> I would not expect the draft to be extended to HSTS and CSP or other things. Only consider the approach for HPKP at this time. Btw. a few thoughts: personally I am not so comfortable with the resource part yet and would still prefer the header, but like to do some more research before I make any arguments. And there might actually be another approach: Finish HPKP as is with header and start a generic draft on moving "everything" (extendable) to a resource location. Btw. we should also start a discussion with W3C webappsec to learn what they think about it, as CSP is done there. Cheers, Tobias > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] #60: Well Known URIs vs Response Headers websec issue tracker
- Re: [websec] #60: Well Known URIs vs Response Hea… Yoav Nir
- Re: [websec] #60: Well Known URIs vs Response Hea… Larry Masinter
- Re: [websec] #60: Well Known URIs vs Response Hea… Yoav Nir
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Joseph Bonneau
- Re: [websec] #60: Well Known URIs vs Response Hea… Tobias Gondrom
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Yoav Nir
- Re: [websec] #60: Well Known URIs vs Response Hea… Joseph Bonneau
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Chris Palmer
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Daniel Kahn Gillmor
- Re: [websec] #60: Well Known URIs vs Response Hea… Tobias Gondrom
- Re: [websec] #60: Well Known URIs vs Response Hea… Yoav Nir
- Re: [websec] #60: Well Known URIs vs Response Hea… Yoav Nir
- Re: [websec] #60: Well Known URIs vs Response Hea… Gervase Markham
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Yoav Nir
- Re: [websec] #60: Well Known URIs vs Response Hea… Tobias Gondrom
- Re: [websec] #60: Well Known URIs vs Response Hea… Gervase Markham
- Re: [websec] #60: Well Known URIs vs Response Hea… Chris Palmer
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Joseph Bonneau
- Re: [websec] #60: Well Known URIs vs Response Hea… Yoav Nir
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Ryan Sleevi
- Re: [websec] #60: Well Known URIs vs Response Hea… Joseph Bonneau
- Re: [websec] #60: Well Known URIs vs Response Hea… Yoav Nir
- Re: [websec] #60: Well Known URIs vs Response Hea… Trevor Perrin
- Re: [websec] #60: Well Known URIs vs Response Hea… Tobias Gondrom
- Re: [websec] #60: Well Known URIs vs Response Hea… websec issue tracker