fyi, here's the change log from -01 to -02:
1. Updated Section 7.2 "URI Loading and Port Mapping" fairly
thoroughly in terms of refining the presentation of the
steps, and to ensure the various aspects of port mapping are
clear. Nominally fixes issue ticket #1
<http://trac.tools.ietf.org/wg/websec/trac/ticket/1>
2. Removed dependencies on
[I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS
ABNF in Section 5.1 "Strict-Transport-Security HTTP Response
Header Field" by lifting some productions entirely from
[I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging
[RFC2616]. Addresses issue ticket #2
<http://trac.tools.ietf.org/wg/websec/trac/ticket/2>.
3. Updated Effective Request URI section and definition to use
language from [I-D.draft-ietf-httpbis-p1-messaging-15] and
ABNF from [RFC2616]. Fixes issue ticket #3
<http://trac.tools.ietf.org/wg/websec/trac/ticket/3>.
4. Added explicit mention that the HSTS policy applies to all
TCP ports of a host advertising the HSTS policy. Nominally
fixes issue ticket #4
<http://trac.tools.ietf.org/wg/websec/trac/ticket/4>
5. Clarified the need for the "includeSubDomains" directive,
e.g. to protect Secure-flagged domain cookies. In
Section 12.1 "The Need for includeSubDomains". Nominally
fixes issue ticket #5
<http://trac.tools.ietf.org/wg/websec/trac/ticket/5>
6. Cited Firesheep as real-live threat in Section 2.3.1.1
"Passive Network Attackers". Nominally fixes issue ticket #6
<http://trac.tools.ietf.org/wg/websec/trac/ticket/6>.
7. Added text to Section 10 "UA Implementation Advice"
justifying connection termination due to tls warnings/errors.
Nominally fixes issue ticket #7
<http://trac.tools.ietf.org/wg/websec/trac/ticket/7>.
8. Added new subsection Section 7.5 "Interstitially Missing
Strict-Transport-Security Response Header Field". Nominally
fixes issue ticket #8
<http://trac.tools.ietf.org/wg/websec/trac/ticket/8>.
9. Added text to Section 7.3 "Errors in Secure Transport
Establishment" explicitly note revocation check failures as
errors causing connection termination. Added references to
[RFC5280] and [RFC2560]. Nominally fixes issue ticket #9
<http://trac.tools.ietf.org/wg/websec/trac/ticket/9>.
10. Added a sentence, noting that distributing specific end-
entity certs to browsers will also work for self-signed/
private-CA cases, to Section 9 "Server Implementation Advice"
Nominally fixes issue ticket #10
<http://trac.tools.ietf.org/wg/websec/trac/ticket/10>.
11. Moved "with no user recourse" language from Section 7.3
"Errors in Secure Transport Establishment" to Section 10 "UA
Implementation Advice". This nominally fixes issue ticket
#11 <http://trac.tools.ietf.org/wg/websec/trac/ticket/11>.
12. Removed any and all dependencies on
[I-D.draft-ietf-httpbis-p1-messaging-15], instead depending
on [RFC2616] only. Fixes issue ticket #12
<http://trac.tools.ietf.org/wg/websec/trac/ticket/12>.
13. Removed the inline "XXX1" issue because no one had commented
on it and it seems reasonable to suggest as a SHOULD that web
apps should redirect incoming insecure connections to secure
connections.
14. Removed the inline "XXX2" issue because it was simply for
raising consciousness about having some means for
distributing secure web application metadata.
15. Removed "TODO1" because description prose for "max-age" in
the Note following the ABNF in Section 5 seems to be fine.
16. Decided for "TODO2" that "the first STS header field wins".
TODO2 had read: "Decide UA behavior in face of encountering
multiple HSTS headers in a message. Use first header?
Last?". Removed TODO2.
17. Added Section 1.1 "Organization of this specification" for
readers' convenience.
18. Moved design decision notes to be a proper appendix
Appendix A.
---
end
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
