[websec] Protocol Action: 'HTTP Strict Transport Security (HSTS)' to Proposed Standard (draft-ietf-websec-strict-transport-sec-14.txt)
The IESG <iesg-secretary@ietf.org> Tue, 02 October 2012 13:37 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0358F21F86C7; Tue, 2 Oct 2012 06:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.573
X-Spam-Level:
X-Spam-Status: No, score=-102.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7ikbdUzwxu4; Tue, 2 Oct 2012 06:37:11 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE4B21F86DD; Tue, 2 Oct 2012 06:37:11 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 4.34
Message-ID: <20121002133711.30155.3163.idtracker@ietfa.amsl.com>
Date: Tue, 02 Oct 2012 06:37:11 -0700
Cc: websec mailing list <websec@ietf.org>, websec chair <websec-chairs@tools.ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [websec] Protocol Action: 'HTTP Strict Transport Security (HSTS)' to Proposed Standard (draft-ietf-websec-strict-transport-sec-14.txt)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2012 13:37:12 -0000
The IESG has approved the following document: - 'HTTP Strict Transport Security (HSTS)' (draft-ietf-websec-strict-transport-sec-14.txt) as Proposed Standard This document is the product of the Web Security Working Group. The IESG contact persons are Barry Leiba and Pete Resnick. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/ Technical Summary The specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. Â This overall policy is referred to as HTTP Strict Transport Security (HSTS). Â The policy is declared by web sites via the Strict-Transport-Security HTTP response header field, and/or by other means, such as user agent configuration, for example. Working Group Summary There was a good discussion in the WG on HSTS over an extended period of time. Most of the draft consensus appears to be pretty strong. Discussion activity in the last 4 weeks during WGLC has been relatively low, though no hot controversies did show up. There is one last-minute item raised in Paris that was less discussed than could have been: whether the HSTS header should have a "report-only" feature. There was some minor discussion and so far it appears that rough consensus is for the draft as it is (without adding that feature), but the number of votes for this feature was not very high. The GenART review during Last Call noted that text at the end of Section 6.1 specifies and extension point and says that a registry might be created by the first extension that needs it. The review suggested either creating the registry now or, alternatively, specifying its registration policy now to prevent an inappropriate choice of policy later. The working group decided to do the latter, and chose IETF Review for the policy. Document Quality The document is in good shape. The ABNF was reviewed and verified by several experts and appears to be correct. The header is already deployed and implemented by several websites and browser implementations. Personnel Shepherd: Tobias Gondrom AD: Barry Leiba