Re: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 04 May 2012 11:10 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41BCF21F871C for <websec@ietfa.amsl.com>; Fri, 4 May 2012 04:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.506
X-Spam-Level:
X-Spam-Status: No, score=-102.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvEJSDkoWRrH for <websec@ietfa.amsl.com>; Fri, 4 May 2012 04:10:25 -0700 (PDT)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 07B3021F871A for <websec@ietf.org>; Fri, 4 May 2012 04:10:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1336129823; d=isode.com; s=selector; i=@isode.com; bh=9TywROaqWhXvsH9Auqi6LopWygUMGnxi182COa5wGgQ=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=nOa1eGParXaNHGb/U1sXwGUhBlB/f0WZNx982fMW7Nf5RQKiST3N2oWfdIv3/3Z6h0cGF7 UJxbbVS5bn9c0YJ0Ijzum5wU8FnZu6X7QT0RvOSLFXTwg9GkhMVLQKyWYIQGgNeIVjCpwN rTI5Jxyk8Guov+UzNaAn39+LaabaWPQ=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T6O5HgB=g2t5@rufus.isode.com>; Fri, 4 May 2012 12:10:23 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4FA3B940.2090204@isode.com>
Date: Fri, 04 May 2012 12:10:56 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4FA18EF1.9040206@KingsMountain.com>
In-Reply-To: <4FA18EF1.9040206@KingsMountain.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Review of draft-ietf-websec-strict-transport-sec-06.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 11:10:26 -0000

On 02/05/2012 20:45, =JeffH wrote:
> [ resent with correct Subject: ]
>
> Hi Alexey, thanks for the review, apologies for latency.
Hi Jeff,
> >     The two directives defined in this specification are described 
> below.
> >     The overall requirements for directives are:
> >
> >     o  The order of appearance of directives is not significant.
> >
> >     o  All directives MUST appear only once in an STS header field.
> >
> >     o  Directive names are case-insensitive.
> >
> >     o  UAs MUST ignore any STS header fields containing directives that
> >        do not conform to their ABNF definition.
> >
> > Should this list also say something about how unrecognized directives
> > should be treated? I.e. are they ignored by default, is the whole
> > STS header field ignored, etc.
>
> Does the last bullet item above not address those questions?
No. The last bullet is talking about recognized, but invalid data. I am 
asking about unrecognized data.

> >     Additional directives extending the semantic functionality of 
> the STS
> >     header field may be defined in other specifications (which "update"
> >     this specification),
> >
> > Is this a requirement on future extensions?
> > (In general "updating" this specification using Updates: in the header
> > of the relevant RFC
> > is a) a heavy weight mechanism (it prevents Experimental extensions) 
> and
> > b) this seems
> > like a wrong mechanism anyway, as Updates usually means that the
> > document being
> > updated can't be implemented without the document which updates it.)
>
> We can place in the above para whatever we/you/ourADs wish. 
> Suggestions welcome.
It is not about the location of this sentence. I think you need to 
strike "(which "update" this specification)".

> >     subdomain of a publicly-available web application which may be
> >     secured by TLS/SSL.  For example, <https://example-ca.com/> is a
> >     publicly-available web application for "Example CA", a 
> certification
> >     authority.  Customers use this web application to register their
> >     public keys and obtain certificates.  Example CA generates
> >     certificates for customers containing
> > <http://crl-and-ocsp.example-ca.com/> as the value for the "CRL
> >     Distribution Points" and "Authority Information Access:OCSP"
> >     certificate fields.
> >
> > 13.  Internationalized Domain Names for Applications (IDNA): Dependency
> >       and Migration
> >
> >     IDNA2008 obsoletes IDNA2003, but there are differences between the
> >     two specifications, and thus there can be differences in processing
> >     (e.g., converting) domain name labels that have been registered 
> under
> >     one from those registered under the other.  There will be a
> >     transition period of some time during which IDNA2003-based domain
> >     name labels will exist in the wild.  User agents SHOULD implement
> >     IDNA2008 [RFC5890] and MAY implement [RFC5895] (see also Section 
> 7 of
> >     [RFC5894]) or [UTS46] in order to facilitate their IDNA transition.
> >
> > I might be kicking a dead horse here, but MAY sounds a bit weak.
> > I especially dislike having the choice between 2 incompatible specs,
> > I think this might cause some interop problems.
>
> As far as I can tell, having had fairly extensive discussions with 
> IDNA folk both privately and on various lists such as idna-update@, 
> the above relects the the unfortunate state of the world at this time. 
> For instance, Pete Resnick signed off on the language in the spec in 
> this message to websec@...
Commented on this in reply to Peter.
> Re: [websec] wrt IDN processing-related security considerations for 
> draft-ietf-websec-strict-transport-sec
> https://www.ietf.org/mail-archive/web/websec/current/msg01015.html
>
> we should probably fork off any further discussion on this topic to 
> that thread.
>
>
> > Also, does "in order to facilitate their IDNA transition" apply
> > to the second reference or to both references?
>
> It applies to both. One may implement [RFC5895] /or/ [UTS46] to 
> facilitate one's IDNA transition (as I understand it).
Can you please move "in order to facilitate their IDNA transition" to 
the beginning of the sentence? I think this will make it clearer.
>
> again, followups on this item and the above should probably be in the 
> "Re: [websec] wrt IDN processing-related security considerations for 
> draft-ietf-websec-strict-transport-sec" thread here on websec@.
>