Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS

=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 12 March 2012 23:30 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 998C621E81E7 for <websec@ietfa.amsl.com>; Mon, 12 Mar 2012 16:30:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.101
X-Spam-Level:
X-Spam-Status: No, score=-100.101 tagged_above=-999 required=5 tests=[AWL=0.394, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGQAJJBq8efA for <websec@ietfa.amsl.com>; Mon, 12 Mar 2012 16:30:44 -0700 (PDT)
Received: from oproxy6-pub.bluehost.com (oproxy6.bluehost.com [IPv6:2605:dc00:100:2::a6]) by ietfa.amsl.com (Postfix) with SMTP id 4830E21E81F5 for <websec@ietf.org>; Mon, 12 Mar 2012 16:30:44 -0700 (PDT)
Received: (qmail 12319 invoked by uid 0); 12 Mar 2012 23:30:43 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 12 Mar 2012 23:30:43 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=J+YM7TPuNOGu9eR7yJ5KHNQQWgR/9sU8G/uIVXfHFsc=; b=4svaUFBsQHzeHqi0yJcVPjHiNiDcP9BRh4GScBJ03f88huVKrzGKk7XYHxgH1xGS583aD/wcU2Znwmy4O0ocYjJHXYzBXe5HiUQZcK6H9rafhltv7BxZ6HGJy/ynut+S;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.11]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1S7EhO-0003aB-Qk; Mon, 12 Mar 2012 17:30:42 -0600
Message-ID: <4F5E8721.8040601@KingsMountain.com>
Date: Mon, 12 Mar 2012 16:30:41 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2012 23:30:45 -0000

Thanks for your review Tobias.

when I say "done" or "fixed" below, I mean in a forthcoming -06 revision.

 > A few comments that would not interfere with WGLC. Mostly editorial
 > (spelling stuff), but also two technical comments at the end of this
 > email. The first technical is easy, the second technical comment may be
 > more an issue and may need adding one paragraph to specify behaviour in
 > the described case. (If it's not already there and I just missed it.)
 >
 > editorial:
 > - Section 1:
 > -- in the next version please remove the line " [ Please discuss this
 > draft on the WebSec@ietf.org mailing list [WEBSEC]. ]"

sure, will do -- tho I figured that the RFC-Editor would remove this as a 
matter of course.

 > -- in first paragraph, is the link to informative reference
 > [I-D.ietf-tls-ssl-version3] the best we can get, as it is a long expired
 > I-D?

Yes, for SSLv3, that's the canonical reference -- it never progressed further.
I've added an annotation to the reference.


 > - Section 2.4.1.1
 > -- s/3.UAs need to persistently remember web sites that signal strict
 > security policy enablement, for a web site declared time span./3.UAs
 > need to persistently remember web sites that signal strict security
 > policy enablement, for a by the web site declared time span.

hm, your suggested substitution doesn't parse well. Perhaps you meant something 
like this..

   UAs need to persistently remember web sites that signal strict
   security policy enablement, for time spans declared by the web sites.

..?


 >
 > - Section 3:
 > -- s/Note:  ..is a note to the reader.  These are points that should be
 > expressly kept in mind and/or considered./Note: This is a note to the
 > reader.  These are points that should be expressly kept in mind and/or
 > considered.

done.



 > - Section 5:
 > -- [with this one I am not 100% sure]
 > s/An HSTS Host conveys its HSTS Policy to UAs, only over secure
 > transport (e.g., TLS), via the Strict-Transport-Security HTTP response
 > header field./An HSTS Host conveys its HSTS Policy to UAs only over
 > secure transport (e.g., TLS) via the Strict-Transport-Security HTTP
 > response header field.

yes, that sentence is tortured.

I've done this..

         An HSTS Host conveys its HSTS Policy to UAs via the
         Strict-Transport-Security HTTP response header field
         over secure transport (e.g., TLS).



 > - Section 6:
 > -- s/This section defines the syntax of the new header this
 > specification introduces. It also provides a short description of the
 > function the header./This section defines the syntax of the new header
 > as introduced by this specification. It also provides a short
 > description of the function of the header.
 >
 > -- s/The Section 7 "Server Processing Model" section details/The Section
 > 7 "Server Processing Model" details
 > --s/Likewise, the Section 8 "User Agent Processing Model" section
 > details/Likewise, the Section 8 "User Agent Processing Model" details

Yes, those paragraphs could use some improvement. I've changed them to..

    This section defines the syntax of the Strict-Transport-Security HTTP
    response header field and its directives, and presents some examples.

    Section 7 "Server Processing Model" then details how hosts employ
    this header field to declare their HSTS Policy, and Section 8 "User
    Agent Processing Model" details how user agents process the header
    field and apply the HSTS Policy.


 > - Section 6.1, last paragraph:
 > -- s/Additional directives extending the the semantic functionality of
 > the/Additional directives extending the semantic functionality of the

done.


 > - Section 61.1.
 > -- s/see also Section 8.1.1 "Noting a HSTS Host", below/see also Section
 > 8.1.1 "Noting a HSTS Host" below

", above." and ", below." (i.e., including the commas) are commonly used 
stylistic constructions. They are also used without the commas. I prefer them 
with. e.g. observe their use here..

   https://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style


 > - Section 8.1.2, point 1
 > -- s/and ignoring separator characters (see clause 3.1(4) of
 > [RFC3986]./and ignoring separator characters (see clause 3.1(4) of
 > [RFC3986]).

done.

 > -- what do you mean by clause 3.1(4) of RFC3986?

oops, good catch.  that was supposed to be "clause 3.1(4) of RFC3490", but 
that's now inappropriate due to its obsolescence by RFC5890 et al. I've fixed 
that sentence to be these two sentences..

                                       For each Known HSTS Host's domain
        name, the comparison is done with the query domain name label-by-
        label using an ASCII case-insensitive comparison beginning with
        the rightmost label, continuing right-to-left, and ignoring
        separator characters.  See also section 2.3.2.4. of [RFC5890].



 >
 > - Section 8.3
 > -- s/(e.g., certificate errors)/(e.g. certificate errors)

this is a matter of style. see also Chicago Manual of Style, section 5.54, as 
well as Wikipedia:Manual_of_Style.


 >
 > - Section 8.5:
 > -- s/until the max-age value for the knowledge that Known HSTS Host is
 > reached./until the max-age value for the knowledge of that Known HSTS
 > Host is reached.

done.

 > -- s/Note that the max age could be infinite for a given Known HSTS
 > Host./Note that the max-age value could be infinite for a given Known
 > HSTS Host.

done.


 >
 > - Section 12.2 title:
 > -- s/Determining the Effective Requrest URI/Determining the Effective
 > Request URI

done.


 >
 > - Section 12.2.1 title:
 > -- s/Effective Requrest URI Examples/Effective Request URI Examples

done.  (I wonder how my prior spell-check run missed these? sigh.)


 >
 > - Appendix B, last paragraph:
 > -- s/In summary, although both HSTS Policy and SOP are enforced by by
 > UAs,/In summary, although both HSTS Policy and SOP are enforced by UAs,

done.


 > And two technical COMMENTS:
 > - Section 5, paragraph 2:
 > "Receipt of this header field signals to UAs to enforce the HSTS Policy
 > for all subsequent secure transport connections made to the HSTS Host,
 > for a specified time duration."
 > Actually the UA must enforce this for all subsequent transport
 > connections be them secure or non-secure (i.e. if they are non-secure
 > the scheme MUST be changed to secure (http->https)).

good catch, thanks. fixed.


 > - it seems we have missed to specify one scenario:
 >
 > The case is the following: A UA notes a superdomain e.g. example.com as
 > a Known HSTS Host, with "includeSubDomains". Then after that the UA also
 > receives a HSTS header from subdomain foo.example.com (with or without
 > "includeSubDomains") and new max-age (longer or shorter time).
 > The point is in that case the HSTS timer of the superdomain
 > (example.com) MUST NOT be changed (extended or shortened) to the timer
 > used in the subdomain.
 >
 > In fact the UA MUST keep both timers in cache independently and if at
 > some point either one of them is removed (be due to expiry or because of
 > an update setting max-age=0), the second remaining HSTS value MUST still
 > be kept intact and applied. This is mainly to prevent that a subdomain
 > can invalidate the HSTS flag of the superdomain or make it expire and
 > vice versa.

yes, upon review, i think the language here in 8.1.2 "Known HSTS Host Domain 
Name Matching" (as well as in "Noting a HSTS Host") could stand some 
polishing/re-working.

Tho I'll reply on it in more detail in the "37: Clarify that superdomain HSTS 
flag does not update max-age of subdomain's HSTS max-age and vice versa" thread 
in the next day or so.

Unfortunately, the I-D deadline for IETF-83 is upon usin the next 45min, and I 
need to get -06 submitted.  Addressing this item will have to be in an -07 (I 
don't want to rush it here in next 30 min and mess it up further).


thanks again for the detailed review,

=JeffH