Re: [websec] Issue #41 add parameter indicating whether to hardfail or not

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 29 June 2012 18:37 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9121F21F8680 for <websec@ietfa.amsl.com>; Fri, 29 Jun 2012 11:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.972
X-Spam-Level:
X-Spam-Status: No, score=-102.972 tagged_above=-999 required=5 tests=[AWL=-0.373, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id weZ6Lg+xMwex for <websec@ietfa.amsl.com>; Fri, 29 Jun 2012 11:37:44 -0700 (PDT)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 9D87421F867D for <websec@ietf.org>; Fri, 29 Jun 2012 11:37:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1340995049; d=isode.com; s=selector; i=@isode.com; bh=LB+DXEqGW73ec0umQm9NZWP7kGJiMTyVCszRXzJPRfo=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=Gy9Tx2QYpWqYy2zC5I2dUIYuFVrYp6Z2mint/zuYyWmJ2YJGIzXVSRSjkBpKclGoK8GQHV tyPBIYL63q5gdA3ur9hoBB2beIIr2vOS54BBTQRd2d3uLATMjOi+3/sK9r9hpAcZCa8Jb1 GxRCaMUapEVYcAvLJU/rMXESnqrC73o=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <T-316AAkRMAI@waldorf.isode.com>; Fri, 29 Jun 2012 19:37:29 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4FEDF5F3.7020403@isode.com>
Date: Fri, 29 Jun 2012 19:37:39 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
References: <4FD6E91B.2000602@KingsMountain.com> <CABcZeBM_PLDaU_MPYad9sEtKpTsR8V2naT5WjDOEccu6eyKGMg@mail.gmail.com> <1DFCCAFE421024488073B74EEA0173E1170859@DEN-EXDDA-S12.corp.ebay.com> <4FEDD6D6.3070803@isode.com> <1DFCCAFE421024488073B74EEA0173E1171F86@DEN-EXDDA-S12.corp.ebay.com>
In-Reply-To: <1DFCCAFE421024488073B74EEA0173E1171F86@DEN-EXDDA-S12.corp.ebay.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Issue #41 add parameter indicating whether to hardfail or not
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 18:37:45 -0000

On 29/06/2012 17:45, Steingruebl, Andy wrote:
>> -----Original Message-----
>> From: Alexey Melnikov [mailto:alexey.melnikov@isode.com]
>>
>> Maybe this is not a good example, but I am thinking that something like
>> OCSP retrieval failing on the client side is not something that would
>> show up in the webserver logs.
> Sure, but doesn't the OCSP site know whether it has set HSTS?
You might be thinking of a different usage of OCSP.

I was thinking about: a browsers gets certificate from TLS. It tries to 
verify it using OCSP against a third party OCSP server. The OCSP server 
is down. Now the website the browser is trying to access is effectively 
down with HSTS enabled.