IETF Logo Mail Archive

Re: [websec] Regarding RFC 6797

Eric Mill <eric.mill@gsa.gov> Tue, 08 May 2018 18:18 UTC

Return-Path: <eric.mill@gsa.gov>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB46B1277BB for <websec@ietfa.amsl.com>; Tue, 8 May 2018 11:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gsa.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTwcwKCSH7jV for <websec@ietfa.amsl.com>; Tue, 8 May 2018 11:18:21 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F24871274D2 for <websec@ietf.org>; Tue, 8 May 2018 11:18:20 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id h19so25430508qkj.10 for <websec@ietf.org>; Tue, 08 May 2018 11:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gsa.gov; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JK7ezhdgTaJAjfe4Kdn11x6gZW4e3RxLswkHyTqJqHI=; b=ck0E4F5OFRBRKoUhU5eLMFbT6WwasIcw/muvgFYyNoG81mFFIP61k1LfQk5aZ9r5QX bm6m6+PyPaRma3Y6d/GVmNh/hUWrfpqfbjatvPyvTHGOuJPLV8+EBeaZ03V+eHP8vo0k NHs4sLJN4wVJRDm3s4qDyrySSxSIpNiPxn9vQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JK7ezhdgTaJAjfe4Kdn11x6gZW4e3RxLswkHyTqJqHI=; b=WI7Njjjjaut0NLOUU/fcpEVqJgshNFFHM3peaLtknn81woyj6SnnVzYZcP2osFS6EK 7VyTVrXowX7uwG/4EJEMDU94ju5wChvLhpdgKltLVqsglYytQBRbHFvZ77UUn4nUwEt6 wpa7Dat42Q2sNXsT9ZWz86czaWFtFwefKNBPmfNVT6zep8BsafGAXRkU5cujFNyJ3eK1 /LpWzzLm3zWpmE4wecXEC0qgxnB60XQ3bTMcxzQMpQuLAiWDLUDs0dHeJJqjtFpeXULZ 37Kxuw9ZOhP+FIZvRizoT59X3S2nbzlP3SwZOZjwaTU5St62gTxbTZOzL41q1L2TZ3vb 95UQ==
X-Gm-Message-State: ALQs6tDuat5JWg5yfyYU2wMq0gpibyWHM46OhromjeNWk8dNcMjtMO0l N+Ing0lY2i7e4cJ3qwV13H3nGL8lUcKoHXeem8DqiQ==
X-Google-Smtp-Source: AB8JxZrO5lQQ8GbWhARxOti+FzbmZkSZ27BXNofpOPoICMv4mpjkBGRD66LsPq0SCd6w6KxwXEoEqrgJJgMY8gGbOJo=
X-Received: by 10.55.19.2 with SMTP id d2mr35642804qkh.258.1525803499360; Tue, 08 May 2018 11:18:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.176.253 with HTTP; Tue, 8 May 2018 11:17:38 -0700 (PDT)
In-Reply-To: <CADnb78jDEfAwoeObF62SmdaxpF2FrYF2TQZGnESE+1kZEU=xNA@mail.gmail.com>
References: <CWXP265MB03125F1F074DBA2FDA1E1D2BB1860@CWXP265MB0312.GBRP265.PROD.OUTLOOK.COM> <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> <CADnb78jDEfAwoeObF62SmdaxpF2FrYF2TQZGnESE+1kZEU=xNA@mail.gmail.com>
From: Eric Mill <eric.mill@gsa.gov>
Date: Tue, 08 May 2018 14:17:38 -0400
Message-ID: <CAC7uhV87OCuMOyoR52nCR1Rewy60F4otsP0borFXcaweLzScjg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Yoav Nir <ynir.ietf@gmail.com>, Robert Linder <Robert.Vuj.Linder@outlook.com>, "websec@ietf.org" <websec@ietf.org>
Content-Type: multipart/alternative; boundary="001a113ff848947a5c056bb5cf27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/_rg_Z38BvAzrUtrWckTZ2WVbwTQ>
Subject: Re: [websec] Regarding RFC 6797
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 18:18:25 -0000

On Tue, May 8, 2018 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, May 7, 2018 at 9:54 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> > Immutable meaning that the HSTS header is permanent and can never be
> > removed?  So if a user agent has seen an immutable HSTS header once, that
> > site has to be (valid) HTTPS-only forever?
> >
> > Interesting idea.
>
> FWIW, if anything, it should be about standardizing
> https://hstspreload.org/. That's already the widely adopted practice
> to mostly-immutable HSTS. (Not quite sure truly-immutable is feasible,
> other than using a TLD that has HSTS as policy. And even then TLDs get
> reassigned or disappear at times...)
>

There is a list that could be used to discuss that, run by Chrome but with
members from other browsers:
https://groups.google.com/a/chromium.org/forum/#!forum/hsts-discuss

I also discussed some ideas with Lucas Garron (then on the Chrome team) in
late 2016 / early 2017 about how to standardize a way for public suffixes
to automatically request preloading, which we sketched out here:
https://docs.google.com/document/d/1fngkzHVBRRzYKWgiKDiUrOqWDUkDBbbTXAbo4BHEAoI/edit#heading=h.au203bjfkch0

In the end we didn't do anything sophisticated or standard, and instead
.gov just emails new domains in small, regular batches to Chrome and
Firefox for preloading. But moving the preloading process towards
standardization seems like it would be positive for everyone.

-- Eric


>
> --
> https://annevankesteren.nl/
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>
>


-- 
Eric Mill
Senior Advisor, Technology Transformation Services
Federal Acquisition Service, GSA
eric.mill@gsa.gov, +1-617-314-0966

v2.23.0 | Report a Bug | By Email