IETF Logo Mail Archive

Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)

Peter Saint-Andre <stpeter@stpeter.im> Tue, 03 July 2012 22:18 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6A621F864C for <websec@ietfa.amsl.com>; Tue, 3 Jul 2012 15:18:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.511
X-Spam-Level:
X-Spam-Status: No, score=-102.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87DQIH4qoP1j for <websec@ietfa.amsl.com>; Tue, 3 Jul 2012 15:18:35 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 14D3B21F860B for <websec@ietf.org>; Tue, 3 Jul 2012 15:18:35 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C35A14005A; Tue, 3 Jul 2012 16:37:00 -0600 (MDT)
Message-ID: <4FF36FBE.1030009@stpeter.im>
Date: Tue, 03 Jul 2012 16:18:38 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
References: <4FEE166B.3070007@KingsMountain.com> <4FEF19BF.9050203@gondrom.org>
In-Reply-To: <4FEF19BF.9050203@gondrom.org>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2012 22:18:37 -0000

On 6/30/12 9:22 AM, Tobias Gondrom wrote:
> <hat="individual">
> I tend to agree with Jeff and Andy's comments.
> 
> The real use case / need for "report-only" is not fully clear to me.
> Yes, it could always be nice to have one more test-case to run before
> going life with a system, but IMHO I am having a hard time seeing where
> this flag would really add value.
> And we should not add features (and complexity) as for "report-only" to
> an I-D just for the sake of it and because they might one day be
> possibly help for an unclear or theoretical use-case.

Here is my reading of the thread. The examples that Alexey and Eric
mentioned don't seem far-fetched (OCSP down, load-balancing between
multiple certs). However, it's not clear to me that they are of
significant concern, either. In both cases (and perhaps others), the
response seems to be something like "use a better OCSP service" or "do
more testing before you deploy interesting architectures". Eric is right
that the negative consequences of getting it wrong here are more
significant than with DNS because the TTL of a pinned cert is much
longer than the TTL of a DNS record. Thus if you want to use HSTS, you
need to be more careful. Certainly it seems that an implementation note
would be warranted. I tend to agree with Jeff that if people feel a
strong need for this, they can do so in a separate I-D (I don't
particularly see a need for it to go into the core spec, but I might be
missing something).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email