Re: [websec] [Technical Errata Reported] RFC6797 (4075)

Tobias Gondrom <> Sun, 10 August 2014 11:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 67EFB1A06ED for <>; Sun, 10 Aug 2014 04:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.668
X-Spam-Status: No, score=-102.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Se_A-ZxO_YyM for <>; Sun, 10 Aug 2014 04:48:12 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D779E1A06EA for <>; Sun, 10 Aug 2014 04:48:11 -0700 (PDT)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=L458J1HyEMOX9SRQbYY/snVhdojDQhj+gBqS4HmgqlABm4z1qZJFPSxXSQ83jqEs63fgPK/c0uUVuCykrdjtKl9Qvhq2ElgBiKOa7B9kEtqZ0O8XPKwjHuklSt9FugWANEIGWzsik31O/WajYXy8d570jYmhKSB6ZLOoQ4S8VZU=; h=X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type;
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [] ( []) by (Postfix) with ESMTPSA id 9A57C1539004F; Sun, 10 Aug 2014 13:48:09 +0200 (CEST)
Message-ID: <>
Date: Sun, 10 Aug 2014 12:48:08 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
References: <> <> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <> <> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl> <> <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------080104010407040506070101"
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Aug 2014 11:48:13 -0000

On 10/08/14 12:40, Yoav Nir wrote:
> On Aug 10, 2014, at 2:28 PM, Tobias Gondrom <> wrote:
>> Thanks.
>> I agree, this is an "update" and not an "errata".
>> However, am not sure how to best retain this information:
>> Because this is a good point for a best practice.
>> And be it only in advising the best practice when using HSTS, like
>> simply including one link to the parent to avoid
>> having unprotected parent-domains.
> Well, if we could talk Eric into writing a draft…

In theory we/he could do an RFC6797bis for this.
And as the change is only small, the review period should also be
possible to keep contained.

On the other hand, personally, I am not sure a new RFC would really be
necessary, because it seems to me that with proper best practices
(declare HSTS Policy at their top-level domain + frequently include the
top-level, to make sure it's HSTS is still renewed) this can be solved
and there would be no change on the wire.

Best regards, Tobias