IETF Logo Mail Archive

Re: [websec] Issue that came up about HSTS

Yoav Nir <ynir@checkpoint.com> Mon, 29 October 2012 06:02 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89B1621F85E4 for <websec@ietfa.amsl.com>; Sun, 28 Oct 2012 23:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84P7rjV-yN2z for <websec@ietfa.amsl.com>; Sun, 28 Oct 2012 23:02:40 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id A503121F85E0 for <websec@ietf.org>; Sun, 28 Oct 2012 23:02:39 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id q9T62VUI018396; Mon, 29 Oct 2012 08:02:31 +0200
X-CheckPoint: {508E19AC-0-1B221DC2-2FFFF}
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Mon, 29 Oct 2012 08:02:31 +0200
Received: from il-ex01.ad.checkpoint.com ([194.29.34.26]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Mon, 29 Oct 2012 08:02:31 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
Date: Mon, 29 Oct 2012 08:02:31 +0200
Thread-Topic: [websec] Issue that came up about HSTS
Thread-Index: Ac21mvqY2C1/3iSoRV2cnSg2SFjqqw==
Message-ID: <A5E80764-1890-4ABA-BEC6-E1CD42C517EA@checkpoint.com>
References: <70C766B8-FBF5-4421-B6CE-BCE616FC023B@checkpoint.com> <867E7110-38EB-4739-8FCF-0A5324EA0C26@vpnc.org> <1DFCCAFE421024488073B74EEA0173E13884DF@DEN-EXDDA-S12.corp.ebay.com>
In-Reply-To: <1DFCCAFE421024488073B74EEA0173E13884DF@DEN-EXDDA-S12.corp.ebay.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
X-KSE-Antivirus-Interceptor-Info: scan successful
X-KSE-Antivirus-Info: Clean
Cc: IETF WebSec WG <websec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [websec] Issue that came up about HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2012 06:02:40 -0000

On Oct 29, 2012, at 4:53 AM, Steingruebl, Andy wrote:

>> -----Original Message-----
>> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On
>> Behalf Of Paul Hoffman
>> 
>> On Oct 26, 2012, at 11:42 PM, Yoav Nir <ynir@checkpoint.com> wrote:
>> 
>>> draft-ietf-websec-strict-transport-sec is now being edited by the RFC
>> editor. An issue has come up. We need to resolve this quickly, so please read
>> the following and reply to the list with your opinions.
>> 
>> This looks like a useful, harmless addition.
> 
> If you need a second, consider this it :)

That's good to know.

What we're really after is the presence of (or lack of) statements such as "oh my god, this is a horrible idea", preferably followed by something beginning with "because" :)

Otherwise, the authors are for this change (it was Jeff's idea) and if nobody objects, it will go in.

Yoav

v2.23.0 | Report a Bug | By Email