IETF Logo Mail Archive

Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)

=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 29 June 2012 20:56 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B88C11E8080 for <websec@ietfa.amsl.com>; Fri, 29 Jun 2012 13:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.995
X-Spam-Level:
X-Spam-Status: No, score=-100.995 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXDpNmvNQWks for <websec@ietfa.amsl.com>; Fri, 29 Jun 2012 13:56:13 -0700 (PDT)
Received: from oproxy5-pub.bluehost.com (oproxy5.bluehost.com [IPv6:2605:dc00:100:2::a5]) by ietfa.amsl.com (Postfix) with SMTP id D670A11E807F for <websec@ietf.org>; Fri, 29 Jun 2012 13:56:12 -0700 (PDT)
Received: (qmail 7271 invoked by uid 0); 29 Jun 2012 20:56:12 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 29 Jun 2012 20:56:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=T73RvSP1Stxv430SLojW80+bbg1BLoZgzDMFjM4s+GQ=; b=7cLC7GsFDLFUNQLAWc2vsqPvHIjjwlK5bo93NVOwLnz7f2M3diUPp2HL4I8dfDwdA+s5z5aOo8ZAJprqm2l6FGdY2YurnVCA8m0j0rszAE4n5NQoPAMCk+uXLNOHS7id;
Received: from [216.113.168.128] (port=20906 helo=[10.244.136.119]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1SkiEe-0005pl-Fc for websec@ietf.org; Fri, 29 Jun 2012 14:56:12 -0600
Message-ID: <4FEE166B.3070007@KingsMountain.com>
Date: Fri, 29 Jun 2012 13:56:11 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 20:56:13 -0000

 > Existence of "I am testing HSTS" directive would
 > allow browsers to present debug information on HSTS succeeding/failing
 > in some form (browser logs, additional debug frame, etc.)


This "report-only"/"testing" mode notion came up in WG discussion in Paris, 
inspired in part on the "report-only" functionality in the Content Security 
Policy spec.

The way CSP handles signaling "report-only"  is via a separate header field 
("Content-Security-Policy-Report-Only"), rather than as a directive.

Given that HSTS as presently specified is implemented in several browsers 
(Chrome, Firefox, Opera12beta), and deployed by a number of sites, we suggest 
finishing up the HSTS spec as is.

Then, if there's interest and energy to define a "report-only"/"testing" mode, 
a fairly simple follow-on spec could be written leveraging the original HSTS 
spec and defining just what's needed for this.


=JeffH

v2.23.0 | Report a Bug | By Email