Re: [websec] Regarding RFC 6797
"Tobias Gondrom" <tobias.gondrom@gondrom.org> Mon, 14 May 2018 15:59 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF5B12E878 for <websec@ietfa.amsl.com>; Mon, 14 May 2018 08:59:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=tobias.gondrom@gondrom.org header.d=gondrom.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3tLJLnnZ63jo for <websec@ietfa.amsl.com>; Mon, 14 May 2018 08:59:53 -0700 (PDT)
Received: from gondrom.org (www.gondrom.org [5.35.241.16]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD52912E874 for <websec@ietf.org>; Mon, 14 May 2018 08:59:52 -0700 (PDT)
Received: from seraph (x4dbe7024.dyn.telefonica.de [77.190.112.36]) by gondrom.org (Postfix) with ESMTPSA id 16BA6649A9; Mon, 14 May 2018 17:59:51 +0200 (CEST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=bpLeazwtub57rYWQQw3PYIkJrBzBPimwd6EerG9bX4jsgN35HWf8O+ht7siteJKIYiQ34Wv21rq2efUbCiecg4x14q3xezG++DKHTCRfnje+N1qBZNFB4WgrdknYCNx0le/SHxs3B5zlijfntYZjhbDCuc0Z5VB7OLR2OxkIx2Y=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:Importance:Content-Language:Thread-Index;
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
To: 'Anne van Kesteren' <annevk@annevk.nl>, 'Yoav Nir' <ynir.ietf@gmail.com>
Cc: 'Robert Linder' <Robert.Vuj.Linder@outlook.com>, websec@ietf.org
References: <CWXP265MB03125F1F074DBA2FDA1E1D2BB1860@CWXP265MB0312.GBRP265.PROD.OUTLOOK.COM> <960CE667-98A4-48A9-9E7E-B32E3405A961@gmail.com> <CADnb78jDEfAwoeObF62SmdaxpF2FrYF2TQZGnESE+1kZEU=xNA@mail.gmail.com>
In-Reply-To: <CADnb78jDEfAwoeObF62SmdaxpF2FrYF2TQZGnESE+1kZEU=xNA@mail.gmail.com>
Date: Mon, 14 May 2018 17:59:47 +0200
Message-ID: <019e01d3eb9c$955927f0$c00b77d0$@gondrom.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 5 (Lowest)
X-MSMail-Priority: Low
X-Mailer: Microsoft Outlook 16.0
Importance: Low
Content-Language: en-us
Thread-Index: AQHsIF+VvDAWPRIEQoHKTVc3iukXtgLEtT3WAdYov9Oj2iCVQA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/e9Sm41nI8ukTwF5QElih-bFgoNo>
Subject: Re: [websec] Regarding RFC 6797
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2018 15:59:55 -0000
I agree. Preload is probably the easiest way to go. And the use case of transfer of domain ownership can not be ignored. Not sure whether preload really needs further standardization, after all there are only a few browser implementations out there. However, if you think that is needed, feel free to drop me a message and we can write up a quick ID and publish it as individual ID. Best regards, Tobias -----Original Message----- From: websec <websec-bounces@ietf.org> On Behalf Of Anne van Kesteren Sent: Tuesday, May 8, 2018 9:48 AM To: Yoav Nir <ynir.ietf@gmail.com> Cc: Robert Linder <Robert.Vuj.Linder@outlook.com>; websec@ietf.org Subject: Re: [websec] Regarding RFC 6797 On Mon, May 7, 2018 at 9:54 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > Immutable meaning that the HSTS header is permanent and can never be > removed? So if a user agent has seen an immutable HSTS header once, > that site has to be (valid) HTTPS-only forever? > > Interesting idea. FWIW, if anything, it should be about standardizing https://hstspreload.org/. That's already the widely adopted practice to mostly-immutable HSTS. (Not quite sure truly-immutable is feasible, other than using a TLD that has HSTS as policy. And even then TLDs get reassigned or disappear at times...) -- https://annevankesteren.nl/ _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
- [websec] Regarding RFC 6797 Robert Linder
- Re: [websec] Regarding RFC 6797 Yoav Nir
- Re: [websec] Regarding RFC 6797 Anne van Kesteren
- Re: [websec] Regarding RFC 6797 Eric Mill
- Re: [websec] Regarding RFC 6797 Tobias Gondrom
- Re: [websec] Regarding RFC 6797 Anne van Kesteren
- Re: [websec] Regarding RFC 6797 Tobias Gondrom
- Re: [websec] Regarding RFC 6797 Anne van Kesteren
- Re: [websec] Regarding RFC 6797 Eitan Adler