Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06

=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 30 April 2012 22:26 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D598E21F86CE for <websec@ietfa.amsl.com>; Mon, 30 Apr 2012 15:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.176
X-Spam-Level:
X-Spam-Status: No, score=-100.176 tagged_above=-999 required=5 tests=[AWL=0.319, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7+W6I5jpffnx for <websec@ietfa.amsl.com>; Mon, 30 Apr 2012 15:26:12 -0700 (PDT)
Received: from oproxy9.bluehost.com (oproxy9.bluehost.com [IPv6:2605:dc00:100:2::a2]) by ietfa.amsl.com (Postfix) with SMTP id 13C1B21F86C3 for <websec@ietf.org>; Mon, 30 Apr 2012 15:26:10 -0700 (PDT)
Received: (qmail 16900 invoked by uid 0); 30 Apr 2012 22:26:09 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy9.bluehost.com with SMTP; 30 Apr 2012 22:26:09 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=7CYYsHWmwOymM69czGkIDPgrm5cY9F1xUyLe7GIxSb0=; b=EAWdjhOYL44hBwkWOeyxel6dZtdS+OrAr0y5uY1cCkva37gulXR1W1NcaBGuGR22FMcdlxp86aV+m5+fu80h+Q1XhAnQqXHyCPq+MEuVi7cFc3JX+p4KW2JImVqc7GB+;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.153]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1SOz2n-0007Tc-Ji; Mon, 30 Apr 2012 16:26:09 -0600
Message-ID: <4F9F117E.4070906@KingsMountain.com>
Date: Mon, 30 Apr 2012 15:26:06 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2012 22:26:14 -0000

thanks for the review Paul. I noticed I didn't respond to some portions of your 
message that didn't get transformed into issue tickets. here goes...

 > Significant:
 >
 > This document pretends that the TLSA protocol from the DANE WG will not
 > exist.

this item is captured in <http://trac.tools.ietf.org/wg/websec/trac/ticket/39> 
and has been discussed in a separate thread..

<https://www.ietf.org/mail-archive/web/websec/current/msg01141.html>


 > Moderate:
 >
 > In section 8.1.2, I don't know what "ignoring separator characters" means,
 > and suspect it will cause pain if left this way.

That phrase is simply deleted in my -07 working copy.


 > [I-D.ietf-tls-ssl-version3] is not a "work in progress". I'll take this up
 > on the rfc-interest mailing list, and nothing needs to be done here.

That is addressed in my working copy via ref of (the recently published) 
[RFC6101] instead.


 > RFC 2818 is listed as a normative reference, and yet it is Informational.
 > This will need to be called out in the PROTO report. Alternately, it can be
 > called an informative reference, since one does not need to understand it
 > in order to implement this document.

this item was addressed by Alexey in his reply here..

<https://www.ietf.org/mail-archive/web/websec/current/msg01104.html>


 > I have alerted the idna-update mailing list of this WG LC. This might cause
 > some helicoptered-in comments, but better now than during IETF LC.

I had noticed that.  I'll followup there once -07 is pub'd. Note that I'd 
engaged in non-trivial discussions there on idna-update@ about various aspects 
of -strict-transport-sec back in Sep-2011...

<http://www.alvestrand.no/pipermail/idna-update/2011-September/007140.html>

..and I have some hopefull-improved IDNA language in my -07 working copy.


 > Editorial:
 >
 > "annunciate" (used a few times) is a fancy word for "announce". Maybe use
 > the far more common word instead.
 >
 > In section 3.1, "suboptimal downside" is unclear. Is there an optimal
 > downside? I suggest replacing it with "negative".
 >
 > The lead sentences in sections 11.2, 11.4, and 11.5 lack verbs; verbs are
 > used in 11.1 and 11.3. This should be an easy fix.

the above are captured in issue ticket #40 
<http://trac.tools.ietf.org/wg/websec/trac/ticket/40>


thanks again,

=JeffH