Re: [websec] #40: Various editorial comments on -06
"websec issue tracker" <trac+websec@trac.tools.ietf.org> Tue, 12 June 2012 18:27 UTC
Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B3AC21F845B for <websec@ietfa.amsl.com>; Tue, 12 Jun 2012 11:27:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.399
X-Spam-Level:
X-Spam-Status: No, score=-101.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_63=0.6, J_CHICKENPOX_66=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXVAdx2W0lCZ for <websec@ietfa.amsl.com>; Tue, 12 Jun 2012 11:27:52 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [77.72.230.30]) by ietfa.amsl.com (Postfix) with ESMTP id 0A48D21F8458 for <websec@ietf.org>; Tue, 12 Jun 2012 11:27:52 -0700 (PDT)
Received: from localhost ([127.0.0.1]:48446 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.77) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1SeVod-0007mR-EP; Tue, 12 Jun 2012 20:27:43 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: websec issue tracker <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.12.2
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.2, by Edgewall Software
To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com
X-Trac-Project: websec
Date: Tue, 12 Jun 2012 18:27:43 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://wiki.tools.ietf.org/wg/websec/trac/ticket/40#comment:2
Message-ID: <085.21e9b19aa328e6b29670a989b46f7960@trac.tools.ietf.org>
References: <070.2b15f3c9acfbd2014856105820738ee9@trac.tools.ietf.org>
X-Trac-Ticket-ID: 40
In-Reply-To: <070.2b15f3c9acfbd2014856105820738ee9@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To:
Resent-Message-Id: <20120612182752.0A48D21F8458@ietfa.amsl.com>
Resent-Date: Tue, 12 Jun 2012 11:27:52 -0700
Resent-From: trac+websec@trac.tools.ietf.org
Cc: websec@ietf.org
Subject: Re: [websec] #40: Various editorial comments on -06
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2012 18:27:53 -0000
#40: Various editorial comments on -06 #choose ticket.new #when True https://www.ietf.org/mail-archive/web/websec/current/msg01092.html - paul hoffman Editorial: "annunciate" (used a few times) is a fancy word for "announce". Maybe use the far more common word instead. In section 3.1, "suboptimal downside" is unclear. Is there an optimal downside? I suggest replacing it with "negative". The lead sentences in sections 11.2, 11.4, and 11.5 lack verbs; verbs are used in 11.1 and 11.3. This should be an easy fix. https://www.ietf.org/mail-archive/web/websec/current/msg01093.html - yoav nir Editorial: In the introduction 2nd paragraph it says "(although modulo other rules)". s/modulo/subject to/. Also, replace "annunciate" with "announce" or "indicate". Both the introduction and section 8.2 say the policy applies to "all TCP ports". Hosts have multiple TCP ports: for SSH as an example. I suggest we change to "all HTTP(S) ports" In the title of section 8.5, I think we can do without the word "Interstitially". Section 10.1 begins with "Server implementations and deploying web sites need to consider whether they are setting…". Searching for the alternative (because an implied "or not" doesn't work for this sentence) took me to the 4th paragraph of this section, and the top of page 21, which begins with "Or, whether they are setting". This won't make it past the RFC editor, but I think it should be rephrased earlier. Section 14.1 discusses a UA behind an SSL proxy and implies that such a connection will cause warning screens (without HSTS) or hard failures. Such a deployment would be considered a wrong deployment of an SSL proxy. Administrators usually configure the UAs that are managed, and give detailed instructions to the owners of UAs that are not managed, so that the CA used by the proxy is trusted. There should be no warnings and no hard failures. https://www.ietf.org/mail-archive/web/websec/current/msg01108.html StPeter Section 1: This specification also incorporates notions from [JacksonBarth2008] in that policy is applied on an "entire-host" basis: it applies to all TCP ports of the issuing host. Please make it clear that all TCP ports does not mean all application protocols, only HTTP on all ports where it might be offered (not only the ports registered with the IANA). Section 7.2 Does is make sense to mention that status code 308 might be appropriate in certain circumstances? See draft-reschke-http-status-308. Section 8.4 The HTTP-Equiv <Meta> Element Attribute is defined in the HTML specification, so a reference would be helpful. Section 9 The phrase "valid Unicode-encoded string-serialized domain name" seems a bit strange, because we don't typically refer to Unicode as an encoding scheme. See RFC 6365 regarding such terminology. Section 11.1 I think the text about "no user recourse" conflates two things: showing a warning, and allowing the user to click through: "the user should not be presented with an explanatory dialog giving her the option to proceed." Would it be OK for a user agent to show an explanatory dialog but not provide an option to proceed? Is there a security reason to fail the connection without any explanation? Section 11.5 The note it worded a bit oddly (e.g., "it shouldn't be possible for an attacker to inject script..." might be better worded along the lines of "implementations need to guard against alowing an attacker to inject script..."). #end #otherwise #if changes_body Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed #end #if changes_descr #if not changes_body and not change.comment and change.author Description changed by jeff.hodges@…: #end -- #end #if change.comment Comment: fixed in -07 #end #end #end -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: In WG Last | Call | Keywords: | -------------------------+------------------------------------------------- Ticket URL: <http://wiki.tools.ietf.org/wg/websec/trac/ticket/40#comment:2> websec <http://tools.ietf.org/websec/>
- [websec] #40: Various editorial comments on -06 websec issue tracker
- Re: [websec] #40: Various editorial comments on -… websec issue tracker
- Re: [websec] #40: Various editorial comments on -… websec issue tracker