Re: [websec] Issue #41 add parameter indicating whether to hardfail or not

Alexey Melnikov <> Fri, 29 June 2012 16:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C407421F877E for <>; Fri, 29 Jun 2012 09:24:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.014
X-Spam-Status: No, score=-103.014 tagged_above=-999 required=5 tests=[AWL=-0.415, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aLoMQOryEhbt for <>; Fri, 29 Jun 2012 09:24:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 99E3121F8781 for <>; Fri, 29 Jun 2012 09:24:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1340987096;; s=selector;; bh=vGAUQ+NzIgstrd2/vqMCdfyvSiAMJlQ73XxJJDAPLAU=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=QJTCFkzysUCifjWNsVLSfD2OYfL6RJm8dOhnOlnMNsJKjfy/jInDP84MoExblqDSwRYOJV yPhn9dcB1siMf1vrFVZw1UGLO/7jGPvLRTu5x0N6E7NT92whpSYvggncuoZe3zLS2kdoXo 0U0Kn87SdxtDr4N10BIQgAWvXyUD0h8=;
Received: from [] ( []) by (submission channel) via TCP with ESMTPSA id <>; Fri, 29 Jun 2012 17:24:56 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <>
Date: Fri, 29 Jun 2012 17:24:54 +0100
From: Alexey Melnikov <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: "Steingruebl, Andy" <>
References: <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <>
Subject: Re: [websec] Issue #41 add parameter indicating whether to hardfail or not
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Jun 2012 16:24:58 -0000

On 29/06/2012 16:10, Steingruebl, Andy wrote:
>> The point of "this is testing" is  the opposite: people who can't talk to you because you've configured HSTS in a way inconsistent with your
>> actual site posture.
>> -Ekr
> Can you give us an example of how/where you think this could occur and how it is distinct from other ways you could using existing technology kill your site?

Maybe this is not a good example, but I am thinking that something like 
OCSP retrieval failing on the client side is not something that would 
show up in the webserver logs.

> As an admittedly snarky example you could easily public a bad A record in DNS and you'd never see any traffic at all, but there isn't a "test new A record flag" or "test new MX server" flag in the DNS.

There is however "I am testing DKIM" flag published in DNS.

> We assume that as part of deploying HSTS people do some basic checks like make sure their website actually responds over HTTPS and generates webserver logs, and they know which domain they are publishing HSTS records for.
> Some specifics would help me a lot to understand the concerns.