Re: [websec] draft-ietf-websec-strict-transport-sec - closing of WGLC

Tobias Gondrom <> Tue, 03 July 2012 20:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D29821F864A for <>; Tue, 3 Jul 2012 13:35:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -99.016
X-Spam-Status: No, score=-99.016 tagged_above=-999 required=5 tests=[AWL=-2.238, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sDP8rgZX71Cg for <>; Tue, 3 Jul 2012 13:35:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5605521F86C3 for <>; Tue, 3 Jul 2012 13:35:44 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=GbROXsS2bEMP7qbWXQFWcYsKSslPOblP0XUWxvIB90zEtF6I9/p3ZECwvCJ44Z/1D2a9IFTnoE3HxjC0h9FCEL7XSmvFbMvgGUOHRYK1IiwdqU1pTHlf+5wH1gti70V7; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 5959 invoked from network); 3 Jul 2012 22:35:50 +0200
Received: from (HELO ? ( by with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Jul 2012 22:35:50 +0200
Message-ID: <>
Date: Tue, 03 Jul 2012 21:35:49 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] draft-ietf-websec-strict-transport-sec - closing of WGLC
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Jul 2012 20:35:45 -0000

Hello Jeff and all HSTS authors and contributors!

Thank you for putting out the new revised version.

I think this should conclude the WG Last call on the draft and I will 
recommend the draft for IETF Last Call, as far as there are no 
objections raised from the WG. The shepherd write-up for HSTS is 
currently with my co-chair for review prior submission to the AD.

There remain two things left to do:

1. @all authors: Could every author please confirm that any and all 
appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed?
A simple reply to the mailing-list or me with "Yes. All is conform with 
BCP 78 and BCP 79." by each author would be sufficient. To my knowledge 
no IPR discosures have been made for this draft. Please inform me if 
there are any?

2. a check of idnits revealed that there are a few reference problems 
(including 3 Downref and 1 Obsolete normative reference). This will come 
up with the RFC-Editor by the latest, so please revisit the references 
and check the idnits tool on the draft ASAP.
Plus two warnings:

  == Missing Reference: 'I-D.draft-ietf-httpbis-p1-messaging-17' is mentioned
      on line 1839, but not defined

   == Outdated reference: A later version (-23) exists of

Best regards, Tobias

On 02/07/12 22:21, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>   This draft is a work item of the Web Security Working Group of the IETF.
> 	Title           : HTTP Strict Transport Security (HSTS)
> 	Author(s)       : Jeff Hodges
>                            Collin Jackson
>                            Adam Barth
> 	Filename        : draft-ietf-websec-strict-transport-sec-10.txt
> 	Pages           : 48
> 	Date            : 2012-07-02
> Abstract:
>     This specification defines a mechanism enabling web sites to declare
>     themselves accessible only via secure connections, and/or for users
>     to be able to direct their user agent(s) to interact with given sites
>     only over secure connections.  This overall policy is referred to as
>     HTTP Strict Transport Security (HSTS).  The policy is declared by web
>     sites via the Strict-Transport-Security HTTP response header field,
>     and/or by other means, such as user agent configuration, for example.
> The IETF datatracker status page for this draft is:
> There's also a htmlized version available at:
> A diff from previous version is available at:
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> websec mailing list