Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-09
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 08 June 2012 18:34 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703AC21F8499 for <websec@ietfa.amsl.com>; Fri, 8 Jun 2012 11:34:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.371
X-Spam-Level:
X-Spam-Status: No, score=-100.371 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KiAPddafLhAS for <websec@ietfa.amsl.com>; Fri, 8 Jun 2012 11:34:53 -0700 (PDT)
Received: from oproxy8-pub.bluehost.com (oproxy8.bluehost.com [IPv6:2605:dc00:100:2::a8]) by ietfa.amsl.com (Postfix) with SMTP id 70E8921F8497 for <websec@ietf.org>; Fri, 8 Jun 2012 11:34:53 -0700 (PDT)
Received: (qmail 24217 invoked by uid 0); 8 Jun 2012 18:34:52 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy8.bluehost.com with SMTP; 8 Jun 2012 18:34:52 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=lo7FC3lBTyp+bfHMGE1amIrvlTX4h8LKXg4zDnoUkDw=; b=I/rmvJVZfnY5+d0fGRg4lSkGmQEWFUSNXzqXxlEx/sFnYWUuvRhcnWXoYd8PC0V1io6jru/peH0TPiNaaCBf+GmQ1Jp1btfvnyaEF1ZXwVl60DUbd1mmNKFjO+4ogWWw;
Received: from [216.113.168.128] (port=36214 helo=[10.244.136.79]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1Sd41M-0006Qn-Hz for websec@ietf.org; Fri, 08 Jun 2012 12:34:52 -0600
Message-ID: <4FD24634.10509@KingsMountain.com>
Date: Fri, 08 Jun 2012 11:36:36 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-09
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 18:34:54 -0000
Howdy again, Please note that there are a fair number of non-trivial and/or nuanced changes in several places in draft-ietf-websec-strict-transport-sec-09 (relative to rev -06) in response to various folks' [1] reviews (thx! And thx to PaulH for his ack on -08 recently). It'd be great to get some acknowledgement that the changes meet expectations, especially those in these sections.. 6.1. Strict-Transport-Security HTTP Response Header Field 6.1.1. The max-age Directive 6.1.2. The includeSubDomains Directive 8.1. Strict-Transport-Security Response Header Field Processing 8.1.1. Noting a HSTS Host 8.2. Known HSTS Host Domain Name Matching 8.3. URI Loading and Port Mapping 9. Domain Name IDNA-Canonicalization 10.1. HSTS Policy expiration time considerations 10.2. Using HSTS in conjunction with self-signed public-key certificates 11.4. Disallow Mixed Security Context Loads 14. Security Considerations (just the new intro paragraphs) 14.6. Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack Appendix A. Design Decision Notes There are also (editorial) changes in several other sections. I believe these changes address issue tickets #s: 33, 37, 39, 40, 43, 44, 45, and 46. I'll be closing these tickets soon unless issues are raised. Please also see the change log below. This URI will get you a side-by-side diff between -06 and -09.. https://tools.ietf.org/rfcdiff?url1=draft-ietf-websec-strict-transport-sec-06.txt&url2=draft-ietf-websec-strict-transport-sec-09.txt thanks, =JeffH [1] Alexey M. Julian R. Murray K. Paul Hoffman Peter StA Tobias G. Barry L. ============================================================== Appendix D. Change Log [RFCEditor: please remove this section upon publication as an RFC.] Changes are grouped by spec revision listed in reverse issuance order. D.1. For draft-ietf-websec-strict-transport-sec Changes from -08 to -09: 1. Added IESG Note to Section 3 "Conformance Criteria" per Barry Leiba's suggestion on the mailing list. <https:// www.ietf.org/mail-archive/web/websec/current/msg01200.html> 2. Added additional requirement #5 to requirements for STS header field directives in Section 6.1 per Alexey's review. This completes the addressing of issue ticket #45. <http://trac.tools.ietf.org/wg/websec/trac/ticket/45> 3. Addressed editorial feedback in Murray's AppsDir review of -06. Most all of these changes were addressing detailed/small editorial items, however note the addition of a couple of introductory paragraphs in the Security Considerations section, as well as a re-written and expanded Section 14.6 "Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack", as well the new item #5 to Appendix A "Design Decision Notes". This addresses issue ticket #46. <http://trac.tools.ietf.org/wg/websec/trac/ticket/46> Changes from -07 to -08: 1. Clarified requirement #4 for STS header field directives in Section 6.1, and removed "(which "update" this specification)". Also added explicit "max-age=0" to Section 6.1.1. Reworked final sentence in 2nd para of Section 13. This addresses issue ticket #45. <http://trac.tools.ietf.org/wg/websec/trac/ticket/45> Changes from -06 to -07: 1. Various minor/modest editorial tweaks throughout as I went through it pursuing the below issue tickets. Viewing a visual diff against -06 revision recommended. 2. fixed some minor editorial issues noted in review by Alexey, fixes noted in here: <https://www.ietf.org/mail-archive/web/ websec/current/msg01163.html> 3. Addressed ABNF exposition issues, specifically inclusion of quoted-string syntax for directive values. Fix STS header ABNF such that a leading ";" isn't required. Add example of quoted-string-encoded max-age-value. This addresses (re- opened) issue ticket #33. <http://trac.tools.ietf.org/wg/websec/trac/ticket/33> 4. Reworked sections 8.1 through 8.3 to ensure matching algorithm and resultant HSTS Policy application is more clear, and that it is explicitly stipulated to not muck with attributes of superdomain matching Known HSTS Hosts. This addresses issue ticket #37. <http://trac.tools.ietf.org/wg/websec/trac/ticket/37> 5. Added reference to [I-D.ietf-dane-protocol], pared back extraneous discussion in section 2.2, and updated discussion in 10.2 to accomodate TLSA (nee DANE). This addresses issue ticket #39. <http://trac.tools.ietf.org/wg/websec/trac/ticket/39> 6. Addressed various editorial items from issue ticket #40. <http://trac.tools.ietf.org/wg/websec/trac/ticket/40> 7. Loosened up the language regarding redirecting "http" requests to "https" in section 7.2 such that future flavors of permanent redirects are accommodated. This addresses issue ticket #43. <http://trac.tools.ietf.org/wg/websec/trac/ticket/43> 8. Reworked the terminology and language in Section 9, in particular defining the term "putative domain name string" to replace "valid Unicode-encoded string-serialized domain name". This addresses issue ticket #44. <http://trac.tools.ietf.org/wg/websec/trac/ticket/44> Changes from -05 to -06: . . . . --- end