Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)

Tobias Gondrom <tobias.gondrom@gondrom.org> Sat, 30 June 2012 15:23 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4D621F85A0 for <websec@ietfa.amsl.com>; Sat, 30 Jun 2012 08:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.514
X-Spam-Level:
X-Spam-Status: No, score=-99.514 tagged_above=-999 required=5 tests=[AWL=-2.736, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWVq9Imn67zX for <websec@ietfa.amsl.com>; Sat, 30 Jun 2012 08:23:15 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id CAA3C21F859E for <websec@ietf.org>; Sat, 30 Jun 2012 08:23:14 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=nPYfwutcrA+8LJN5jz2yNsKel0v15KBLP+Pc9d8+bvuLu156IjhXGxuZ3/Ch3OusUgTLjyRPx3ZpyoS5VHj5ClevMYyA+ubc/nkPh4r5XnZyd2V8Da7BjU0/yIeKw8Bu; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 21904 invoked from network); 30 Jun 2012 17:23:14 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.71?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 30 Jun 2012 17:23:14 +0200
Message-ID: <4FEF19E1.6050007@gondrom.org>
Date: Sat, 30 Jun 2012 16:23:13 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: websec@ietf.org
References: <4FEE166B.3070007@KingsMountain.com>
In-Reply-To: <4FEE166B.3070007@KingsMountain.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jun 2012 15:23:15 -0000

<hat="individual">
I tend to agree with Jeff and Andy's comments.

The real use case / need for "report-only" is not fully clear to me.
Yes, it could always be nice to have one more test-case to run before 
going life with a system, but IMHO I am having a hard time seeing where 
this flag would really add value.
And we should not add features (and complexity) as for "report-only" to 
an I-D just for the sake of it and because they might one day be 
possibly help for an unclear or theoretical use-case.

Just my 5cents.

Best regards, Tobias


On 29/06/12 21:56, =JeffH wrote:
>
> > Existence of "I am testing HSTS" directive would
> > allow browsers to present debug information on HSTS succeeding/failing
> > in some form (browser logs, additional debug frame, etc.)
>
>
> This "report-only"/"testing" mode notion came up in WG discussion in 
> Paris, inspired in part on the "report-only" functionality in the 
> Content Security Policy spec.
>
> The way CSP handles signaling "report-only"  is via a separate header 
> field ("Content-Security-Policy-Report-Only"), rather than as a 
> directive.
>
> Given that HSTS as presently specified is implemented in several 
> browsers (Chrome, Firefox, Opera12beta), and deployed by a number of 
> sites, we suggest finishing up the HSTS spec as is.
>
> Then, if there's interest and energy to define a 
> "report-only"/"testing" mode, a fairly simple follow-on spec could be 
> written leveraging the original HSTS spec and defining just what's 
> needed for this.
>
>
> =JeffH
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec