[websec] Review of draft-ietf-websec-strict-transport-sec-06.txt
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 04 April 2012 11:50 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A54721F86D6 for <websec@ietfa.amsl.com>; Wed, 4 Apr 2012 04:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.607
X-Spam-Level:
X-Spam-Status: No, score=-101.607 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXUCYRUwsWSE for <websec@ietfa.amsl.com>; Wed, 4 Apr 2012 04:50:31 -0700 (PDT)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 6378C21F86B6 for <websec@ietf.org>; Wed, 4 Apr 2012 04:50:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1333540229; d=isode.com; s=selector; i=@isode.com; bh=O6vu+kTgCDClhlcQBTeSKC8KJvx0Ti+dqoTi+doJm54=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=UDqeLh2f/9dQuWwSb1z075YgB9z2UTj7abrjXjNSZ1FDWF2s14OiKFyjQNQ8XV0BE5W4Mr fLVsvDFT3cjYji9O37MWJhYx5bSKO/RjFnnpn0lsb5cnOU16sfcKsCRnq0ezwmYEKHckjQ 4R9eFAQDQEfQxOyHeiit6G+p9HpbrXI=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T3w1ggAk6bvu@rufus.isode.com>; Wed, 4 Apr 2012 12:50:29 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4F7B5D18.1040407@isode.com>
Date: Tue, 03 Apr 2012 21:27:04 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: IETF WebSec WG <websec@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 11:50:32 -0000
Hi, Below is my WGLC review of the draft: 6.1. Strict-Transport-Security HTTP Response Header Field The Strict-Transport-Security HTTP response header field (STS header field) indicates to a UA that it MUST enforce the HSTS Policy in regards to the host emitting the response message containing this header field. The ABNF syntax for the STS header field is: Strict-Transport-Security = "Strict-Transport-Security" ":" *( ";" [ directive ] ) As already noted by other reviewers, this effectively requires a leading ";" which is not what was intended here. The two directives defined in this specification are described below. The overall requirements for directives are: o The order of appearance of directives is not significant. o All directives MUST appear only once in an STS header field. o Directive names are case-insensitive. o UAs MUST ignore any STS header fields containing directives that do not conform to their ABNF definition. Should this list also say something about how unrecognized directives should be treated? I.e. are they ignored by default, is the whole STS header field ignored, etc. Additional directives extending the semantic functionality of the STS header field may be defined in other specifications (which "update" this specification), Is this a requirement on future extensions? (In general "updating" this specification using Updates: in the header of the relevant RFC is a) a heavy weight mechanism (it prevents Experimental extensions) and b) this seems like a wrong mechanism anyway, as Updates usually means that the document being updated can't be implemented without the document which updates it.) using the STS directive extension point. 8.3. Errors in Secure Transport Establishment When connecting to a Known HSTS Host, the UA MUST terminate the connection (see also Section 11 "User Agent Implementation Advice", below) if there are any errors (e.g., certificate errors), whether "warning" or "fatal" or any other error level, with the underlying secure transport. This includes any issues with certificate revocation checking whether via the Certificate Revocation List (CRL) [RFC5280], or via the Online Certificate Status Protocol (OCSP) [RFC2560]. This was discussed in Paris, but I had this in my notes already and would like to emphasize this: I assume that explaining the reason for the failure to the user (without letting the user to opt-out) is Ok? I think the document needs to make it clear that this is not prohibited. 10.3. Implications of includeSubDomains For example, certification authorities often offer their CRL distribution and OCSP services over plain HTTP, and sometimes at a The first use of OCSP needs an Informative reference. subdomain of a publicly-available web application which may be secured by TLS/SSL. For example, <https://example-ca.com/> is a publicly-available web application for "Example CA", a certification authority. Customers use this web application to register their public keys and obtain certificates. Example CA generates certificates for customers containing <http://crl-and-ocsp.example-ca.com/> as the value for the "CRL Distribution Points" and "Authority Information Access:OCSP" certificate fields. 13. Internationalized Domain Names for Applications (IDNA): Dependency and Migration IDNA2008 obsoletes IDNA2003, but there are differences between the two specifications, and thus there can be differences in processing (e.g., converting) domain name labels that have been registered under one from those registered under the other. There will be a transition period of some time during which IDNA2003-based domain name labels will exist in the wild. User agents SHOULD implement IDNA2008 [RFC5890] and MAY implement [RFC5895] (see also Section 7 of [RFC5894]) or [UTS46] in order to facilitate their IDNA transition. I might be kicking a dead horse here, but MAY sounds a bit weak. I especially dislike having the choice between 2 incompatible specs, I think this might cause some interop problems. Also, does "in order to facilitate their IDNA transition" apply to the second reference or to both references? If a user agent does not implement IDNA2008, the user agent MUST implement IDNA2003. In Section 14.5: NTP needs an Informative Reference. 15. IANA Considerations Below is the Internet Assigned Numbers Authority (IANA) Provisional I think here (and below) we should use "Permanent" registration for this header field. Message Header Field registration information per [RFC3864]. Header field name: Strict-Transport-Security Applicable protocol: HTTP Status: provisional Author/Change controller: TBD Specification document(s): this one
- [websec] Review of draft-ietf-websec-strict-trans… Alexey Melnikov
- [websec] Showing errors in HSTS Paul Hoffman
- Re: [websec] Showing errors in HSTS Tobias Gondrom
- Re: [websec] Showing errors in HSTS Alexey Melnikov
- Re: [websec] Review of draft-ietf-websec-strict-t… =JeffH
- Re: [websec] Review of draft-ietf-websec-strict-t… Peter Saint-Andre
- Re: [websec] Review of draft-ietf-websec-strict-t… Alexey Melnikov
- Re: [websec] Review of draft-ietf-websec-strict-t… Alexey Melnikov
- Re: [websec] Review of draft-ietf-websec-strict-t… Peter Saint-Andre
- Re: [websec] Review of draft-ietf-websec-strict-t… =JeffH