Re: [websec] #39: appropriately acknowlege and accommodate DANE

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 20 April 2012 21:32 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4A7021F8573 for <websec@ietfa.amsl.com>; Fri, 20 Apr 2012 14:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.532
X-Spam-Level:
X-Spam-Status: No, score=-102.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iGU0fNYajjVl for <websec@ietfa.amsl.com>; Fri, 20 Apr 2012 14:32:32 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id DEF1621F856D for <websec@ietf.org>; Fri, 20 Apr 2012 14:32:31 -0700 (PDT)
Received: from [10.20.30.103] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q3KLWTC6055000 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 20 Apr 2012 14:32:30 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=us-ascii
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <4F91D2BE.7050305@KingsMountain.com>
Date: Fri, 20 Apr 2012 14:32:29 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E3858F35-E10D-4DA5-96C4-D13D4D8A4044@vpnc.org>
References: <4F91D2BE.7050305@KingsMountain.com>
To: =JeffH <jeff.hodges@kingsmountain.com>
X-Mailer: Apple Mail (2.1257)
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] #39: appropriately acknowlege and accommodate DANE
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2012 21:32:32 -0000

On Apr 20, 2012, at 2:18 PM, =JeffH wrote:

> In looking at this section, which is attempting to only (non-normatively) summarize the effects of the HSTS policy, it occurs to me it should be streamlined down to..
> 
> 
>   2.  The UA terminates any secure transport connection attempts upon
>       any and all secure transport errors or warnings.
> 
> 
> ..because section 10.2 now addresses details wrt "self-signed certs" and such.

That would be *much* better for section 2. Any "such as" will fool implementers into thinking you have a complete list.

--Paul Hoffman