Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
Peter Saint-Andre <stpeter@stpeter.im> Tue, 03 July 2012 22:18 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6A621F864C for <websec@ietfa.amsl.com>; Tue, 3 Jul 2012 15:18:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.511
X-Spam-Level:
X-Spam-Status: No, score=-102.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87DQIH4qoP1j for <websec@ietfa.amsl.com>; Tue, 3 Jul 2012 15:18:35 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 14D3B21F860B for <websec@ietf.org>; Tue, 3 Jul 2012 15:18:35 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C35A14005A; Tue, 3 Jul 2012 16:37:00 -0600 (MDT)
Message-ID: <4FF36FBE.1030009@stpeter.im>
Date: Tue, 03 Jul 2012 16:18:38 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
References: <4FEE166B.3070007@KingsMountain.com> <4FEF19BF.9050203@gondrom.org>
In-Reply-To: <4FEF19BF.9050203@gondrom.org>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2012 22:18:37 -0000
On 6/30/12 9:22 AM, Tobias Gondrom wrote: > <hat="individual"> > I tend to agree with Jeff and Andy's comments. > > The real use case / need for "report-only" is not fully clear to me. > Yes, it could always be nice to have one more test-case to run before > going life with a system, but IMHO I am having a hard time seeing where > this flag would really add value. > And we should not add features (and complexity) as for "report-only" to > an I-D just for the sake of it and because they might one day be > possibly help for an unclear or theoretical use-case. Here is my reading of the thread. The examples that Alexey and Eric mentioned don't seem far-fetched (OCSP down, load-balancing between multiple certs). However, it's not clear to me that they are of significant concern, either. In both cases (and perhaps others), the response seems to be something like "use a better OCSP service" or "do more testing before you deploy interesting architectures". Eric is right that the negative consequences of getting it wrong here are more significant than with DNS because the TTL of a pinned cert is much longer than the TTL of a DNS record. Thus if you want to use HSTS, you need to be more careful. Certainly it seems that an implementation note would be warranted. I tend to agree with Jeff that if people feel a strong need for this, they can do so in a separate I-D (I don't particularly see a need for it to go into the core spec, but I might be missing something). Peter -- Peter Saint-Andre https://stpeter.im/
- Re: [websec] "This site is testing HSTS" directiv… =JeffH
- Re: [websec] "This site is testing HSTS" directiv… =JeffH
- Re: [websec] "This site is testing HSTS" directiv… Tobias Gondrom
- Re: [websec] "This site is testing HSTS" directiv… Tobias Gondrom
- Re: [websec] "This site is testing HSTS" directiv… Peter Saint-Andre
- Re: [websec] "This site is testing HSTS" directiv… Chris Palmer