Re: [websec] IETF WebSec WG <>

=JeffH <> Wed, 02 May 2012 18:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3AB0221F84CF for <>; Wed, 2 May 2012 11:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.495
X-Spam-Status: No, score=-100.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F1CcKkg8lPdX for <>; Wed, 2 May 2012 11:56:12 -0700 (PDT)
Received: from ( [IPv6:2605:dc00:100:2::a7]) by (Postfix) with SMTP id 4566C21F847E for <>; Wed, 2 May 2012 11:56:12 -0700 (PDT)
Received: (qmail 16424 invoked by uid 0); 2 May 2012 18:56:11 -0000
Received: from unknown (HELO ( by with SMTP; 2 May 2012 18:56:11 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=ltgPC35izhlhtMgU9ijW6S6xJxPSop/ZVQE6dEM2O8U=; b=TXCYzJgA6W1RFxdzc1gsEGWgBab2qryylS6KPXw+xRD9wJjUh7kUufB2tRMn+7K+UzagJUlW1xXP8NbX4/WGQlADDmULKxElGuikwTMMHOnu4n9GDourQqEFxszRm9PL;
Received: from [] (helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1SPeih-0007uN-8U; Wed, 02 May 2012 12:56:11 -0600
Message-ID: <>
Date: Wed, 02 May 2012 11:56:03 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Alexey Melnikov <>, IETF WebSec WG <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Subject: Re: [websec] IETF WebSec WG <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 May 2012 18:56:13 -0000

Hi Alexey, thanks for the review, apologies for latency.

 >     The two directives defined in this specification are described below.
 >     The overall requirements for directives are:
 >     o  The order of appearance of directives is not significant.
 >     o  All directives MUST appear only once in an STS header field.
 >     o  Directive names are case-insensitive.
 >     o  UAs MUST ignore any STS header fields containing directives that
 >        do not conform to their ABNF definition.
 > Should this list also say something about how unrecognized directives
 > should be treated? I.e. are they ignored by default, is the whole
 > STS header field ignored, etc.

Does the last bullet item above not address those questions?

 >     Additional directives extending the semantic functionality of the STS
 >     header field may be defined in other specifications (which "update"
 >     this specification),
 > Is this a requirement on future extensions?
 > (In general "updating" this specification using Updates: in the header
 > of the relevant RFC
 > is a) a heavy weight mechanism (it prevents Experimental extensions) and
 > b) this seems
 > like a wrong mechanism anyway, as Updates usually means that the
 > document being
 > updated can't be implemented without the document which updates it.)

We can place in the above para whatever we/you/ourADs wish. Suggestions welcome.

 > 8.3.  Errors in Secure Transport Establishment
 >     When connecting to a Known HSTS Host, the UA MUST terminate the
 >     connection (see also Section 11 "User Agent Implementation Advice",
 >     below) if there are any errors (e.g., certificate errors), whether
 >     "warning" or "fatal" or any other error level, with the underlying
 >     secure transport.  This includes any issues with certificate
 >     revocation checking whether via the Certificate Revocation List (CRL)
 >     [RFC5280], or via the Online Certificate Status Protocol (OCSP)
 >     [RFC2560].
 > This was discussed in Paris, but I had this in my notes already and would
 > like to emphasize this: I assume that explaining the reason for the failure
 > to the user (without letting the user to opt-out) is Ok? I think the
 > document
 > needs to make it clear that this is not prohibited.

the above is being discussed in the "Showing errors in HSTS" thread.

 > 10.3.  Implications of includeSubDomains
 >     For example, certification authorities often offer their CRL
 >     distribution and OCSP services over plain HTTP, and sometimes at a
 > The first use of OCSP needs an Informative reference.

It's referenced way up at beginning of spec, but now ref'd here also in my -07 
working copy.

 >     subdomain of a publicly-available web application which may be
 >     secured by TLS/SSL.  For example, <> is a
 >     publicly-available web application for "Example CA", a certification
 >     authority.  Customers use this web application to register their
 >     public keys and obtain certificates.  Example CA generates
 >     certificates for customers containing
 > <> as the value for the "CRL
 >     Distribution Points" and "Authority Information Access:OCSP"
 >     certificate fields.
 > 13.  Internationalized Domain Names for Applications (IDNA): Dependency
 >       and Migration
 >     IDNA2008 obsoletes IDNA2003, but there are differences between the
 >     two specifications, and thus there can be differences in processing
 >     (e.g., converting) domain name labels that have been registered under
 >     one from those registered under the other.  There will be a
 >     transition period of some time during which IDNA2003-based domain
 >     name labels will exist in the wild.  User agents SHOULD implement
 >     IDNA2008 [RFC5890] and MAY implement [RFC5895] (see also Section 7 of
 >     [RFC5894]) or [UTS46] in order to facilitate their IDNA transition.
 > I might be kicking a dead horse here, but MAY sounds a bit weak.
 > I especially dislike having the choice between 2 incompatible specs,
 > I think this might cause some interop problems.

As far as I can tell, having had fairly extensive discussions with IDNA folk 
both privately and on various lists such as idna-update@, the above relects the 
the unfortunate state of the world at this time. For instance, Pete Resnick 
signed off on the language in the spec in this message to websec@...

Re: [websec] wrt IDN processing-related security considerations for 

we should probably fork off any further discussion on this topic to that thread.

 > Also, does "in order to facilitate their IDNA transition" apply
 > to the second reference or to both references?

It applies to both. One may implement [RFC5895] /or/ [UTS46] to facilitate 
one's IDNA transition (as I understand it).

again, followups on this item and the above should probably be in the "Re: 
[websec] wrt IDN processing-related security considerations for 
draft-ietf-websec-strict-transport-sec" thread here on websec@.

 > In Section 14.5: NTP needs an Informative Reference.

fixed in my -07 working copy.

 > 15.  IANA Considerations
 >     Below is the Internet Assigned Numbers Authority (IANA) Provisional
 > I think here (and below) we should use "Permanent" registration for this
 > header field.
 >     Message Header Field registration information per [RFC3864].
 >       Header field name:           Strict-Transport-Security
 >       Applicable protocol:         HTTP
 >       Status:                      provisional
 >       Author/Change controller:    TBD
 >       Specification document(s):   this one

fixed in my -07 working copy

thanks again,