Re: [websec] Notes from an HSTS Meetup (Sep. 2016)
Anne van Kesteren <annevk@annevk.nl> Fri, 20 January 2017 18:52 UTC
Return-Path: <annevk@annevk.nl>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA82129C63 for <websec@ietfa.amsl.com>; Fri, 20 Jan 2017 10:52:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.52
X-Spam-Level:
X-Spam-Status: No, score=-1.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=annevk.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42YJqUwODkve for <websec@ietfa.amsl.com>; Fri, 20 Jan 2017 10:52:21 -0800 (PST)
Received: from homiemail-a38.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3010A129C5F for <websec@ietf.org>; Fri, 20 Jan 2017 10:52:21 -0800 (PST)
Received: from homiemail-a38.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTP id 94A2210AFBD for <websec@ietf.org>; Fri, 20 Jan 2017 10:52:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=annevk.nl; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc: content-type; s=annevk.nl; bh=IMPs1RLyn++PafCzjMgi4RZVLgo=; b=IJ QlQ/bvSk7zS68ds5MNaDoqo8rVfnvV2lDn84FLjak1owd3Dl7Tq2q9c3I5DW69qJ vwJBENn3F4KgvuEuTxIfSHlFSo3uYJdzh1xghwGsRSMLr5+LkEEJukv8U9FCtcsZ nw9CMWbB0lvjiKbPjkZCkcsdgTo2ogt5I4ONfWUmY=
Received: from mail-yw0-f181.google.com (mail-yw0-f181.google.com [209.85.161.181]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: annevk@annevk.nl) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTPSA id 74BB510AFB8 for <websec@ietf.org>; Fri, 20 Jan 2017 10:52:20 -0800 (PST)
Received: by mail-yw0-f181.google.com with SMTP id v200so98369261ywc.3 for <websec@ietf.org>; Fri, 20 Jan 2017 10:52:20 -0800 (PST)
X-Gm-Message-State: AIkVDXL4yivMil98EyA5NoA3rBFNjTYoCAjKw/w18s1DZPty04PK7xHNgCE9yBFvIPq3MXpovRDxYn5KMvhGJA==
X-Received: by 10.13.218.195 with SMTP id c186mr13036871ywe.15.1484938339672; Fri, 20 Jan 2017 10:52:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.172.90 with HTTP; Fri, 20 Jan 2017 10:52:19 -0800 (PST)
In-Reply-To: <CAC7uhV-jKJYPvSDJA6sjTsDz_ktX5PBXbFEP7Bkmt_2TJODD8A@mail.gmail.com>
References: <79E2F435-E9A0-4F54-8F01-6A3CB21E2F0E@apple.com> <CAPP_2Sb3jWwOiGwLQi_B9biJAfXMHSEVxS7U+q1xq08c2jBaQg@mail.gmail.com> <CAKj7jtvJYUvhcDbCqmOb9_3qf4iymjW6i5cEhx+UAw=wpL-vow@mail.gmail.com> <CAC7uhV-jKJYPvSDJA6sjTsDz_ktX5PBXbFEP7Bkmt_2TJODD8A@mail.gmail.com>
From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 20 Jan 2017 19:52:19 +0100
X-Gmail-Original-Message-ID: <CADnb78gJCQnyDan4+NFYmOa=p9i5=STw==awSXanv_-6pr3NqA@mail.gmail.com>
Message-ID: <CADnb78gJCQnyDan4+NFYmOa=p9i5=STw==awSXanv_-6pr3NqA@mail.gmail.com>
To: Eric Mill <eric.mill@gsa.gov>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/V8C2cjBJa7D80D8aLU0mfQfstro>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Lucas Garron <lgarron@google.com>, websec <websec@ietf.org>
Subject: Re: [websec] Notes from an HSTS Meetup (Sep. 2016)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2017 18:52:22 -0000
On Fri, Jan 20, 2017 at 7:38 PM, Eric Mill <eric.mill@gsa.gov> wrote: > It's a novel approach, and potentially could serve as a model for other TLDs > or suffixes -- so if folks have any feedback or suggestions about this > effort, it'd be welcome and timely. Is the reverse not possible? Where everything .gov is HSTS, unless it's on an HTTP-safelist? Or would that list still be way longer? -- https://annevankesteren.nl/
- Re: [websec] Notes from an HSTS Meetup (Sep. 2016) Eric Mill
- Re: [websec] Notes from an HSTS Meetup (Sep. 2016) Anne van Kesteren
- Re: [websec] Notes from an HSTS Meetup (Sep. 2016) Eric Mill