[websec] Protocol Action: 'HTTP Strict Transport Security (HSTS)' to Proposed Standard (draft-ietf-websec-strict-transport-sec-14.txt)

The IESG <iesg-secretary@ietf.org> Tue, 02 October 2012 13:37 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0358F21F86C7; Tue, 2 Oct 2012 06:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.573
X-Spam-Status: No, score=-102.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id C7ikbdUzwxu4; Tue, 2 Oct 2012 06:37:11 -0700 (PDT)
Received: from ietfa.amsl.com (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1FE4B21F86DD; Tue, 2 Oct 2012 06:37:11 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 4.34
Message-ID: <20121002133711.30155.3163.idtracker@ietfa.amsl.com>
Date: Tue, 02 Oct 2012 06:37:11 -0700
Cc: websec mailing list <websec@ietf.org>, websec chair <websec-chairs@tools.ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [websec] Protocol Action: 'HTTP Strict Transport Security (HSTS)' to Proposed Standard (draft-ietf-websec-strict-transport-sec-14.txt)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2012 13:37:12 -0000

The IESG has approved the following document:
- 'HTTP Strict Transport Security (HSTS)'
  (draft-ietf-websec-strict-transport-sec-14.txt) as Proposed Standard

This document is the product of the Web Security Working Group.

The IESG contact persons are Barry Leiba and Pete Resnick.

A URL of this Internet Draft is:

Technical Summary

The specification defines a mechanism enabling web sites to declare
themselves accessible only via secure connections, and/or for users
to be able to direct their user agent(s) to interact with given sites
only over secure connections.  This overall policy is referred to as
HTTP Strict Transport Security (HSTS).  The policy is declared by web
sites via the Strict-Transport-Security HTTP response header field,
and/or by other means, such as user agent configuration, for example.

Working Group Summary

There was a good discussion in the WG on HSTS over an extended period of time.
Most of the draft consensus appears to be pretty strong. Discussion activity in the
last 4 weeks during WGLC has been relatively low, though no hot controversies did
show up.

There is one last-minute item raised in Paris that was less discussed than could have
been: whether the HSTS header should have a "report-only" feature. There was some
minor discussion and so far it appears that rough consensus is for the draft as it is
(without adding that feature), but the number of votes for this feature was not very high.

The GenART review during Last Call noted that text at the end of Section 6.1 specifies
and extension point and says that a registry might be created by the first extension
that needs it.  The review suggested either creating the registry now or, alternatively,
specifying its registration policy now to prevent an inappropriate choice of policy
later.  The working group decided to do the latter, and chose IETF Review for the

Document Quality

The document is in good shape.
The ABNF was reviewed and verified by several experts and appears to be correct.
The header is already deployed and implemented by several websites and browser


Shepherd: Tobias Gondrom
AD: Barry Leiba