Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
Tobias Gondrom <tobias.gondrom@gondrom.org> Sat, 30 June 2012 15:22 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBC5021F8499 for <websec@ietfa.amsl.com>; Sat, 30 Jun 2012 08:22:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.514
X-Spam-Level:
X-Spam-Status: No, score=-99.514 tagged_above=-999 required=5 tests=[AWL=-2.736, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jt8EizMgwxPA for <websec@ietfa.amsl.com>; Sat, 30 Jun 2012 08:22:43 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id E5BEC21F8484 for <websec@ietf.org>; Sat, 30 Jun 2012 08:22:42 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=vzZh5X2iirgloAqVNG9PB1Tt4vnwDO4pOSv8WpSEe+lxsFG85IIoPPmKvUqm1fyrvp90CjoZUKyLIki31u8kQRJ55x8lP2Duecy3b0sEZs+hvnbV2a4Vq7AdqBQwZSns; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 21883 invoked from network); 30 Jun 2012 17:22:39 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.71?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 30 Jun 2012 17:22:39 +0200
Message-ID: <4FEF19BF.9050203@gondrom.org>
Date: Sat, 30 Jun 2012 16:22:39 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: websec@ietf.org
References: <4FEE166B.3070007@KingsMountain.com>
In-Reply-To: <4FEE166B.3070007@KingsMountain.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jun 2012 15:22:44 -0000
<hat="individual"> I tend to agree with Jeff and Andy's comments. The real use case / need for "report-only" is not fully clear to me. Yes, it could always be nice to have one more test-case to run before going life with a system, but IMHO I am having a hard time seeing where this flag would really add value. And we should not add features (and complexity) as for "report-only" to an I-D just for the sake of it and because they might one day be possibly help for an unclear or theoretical use-case. Just my 5cents. Best regards, Tobias On 29/06/12 21:56, =JeffH wrote: > > > Existence of "I am testing HSTS" directive would > > allow browsers to present debug information on HSTS succeeding/failing > > in some form (browser logs, additional debug frame, etc.) > > > This "report-only"/"testing" mode notion came up in WG discussion in > Paris, inspired in part on the "report-only" functionality in the > Content Security Policy spec. > > The way CSP handles signaling "report-only" is via a separate header > field ("Content-Security-Policy-Report-Only"), rather than as a > directive. > > Given that HSTS as presently specified is implemented in several > browsers (Chrome, Firefox, Opera12beta), and deployed by a number of > sites, we suggest finishing up the HSTS spec as is. > > Then, if there's interest and energy to define a > "report-only"/"testing" mode, a fairly simple follow-on spec could be > written leveraging the original HSTS spec and defining just what's > needed for this. > > > =JeffH > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- Re: [websec] "This site is testing HSTS" directiv… =JeffH
- Re: [websec] "This site is testing HSTS" directiv… =JeffH
- Re: [websec] "This site is testing HSTS" directiv… Tobias Gondrom
- Re: [websec] "This site is testing HSTS" directiv… Tobias Gondrom
- Re: [websec] "This site is testing HSTS" directiv… Peter Saint-Andre
- Re: [websec] "This site is testing HSTS" directiv… Chris Palmer