Alexey pointed out to me..
>
> BTW, you moved lots of references to Informational (e.g. all IDNA
> related), I think this is incorrect - their understanding is required in
> order to implement HSTS correctly.
So, yes, I did (ruthlessly) move a ton of references to Informational. I wanted
to pare down the Normative references to the absolutely necessary ones.
Wrt IDNA refs, I'm happy to move them back to Normative if that's what folks
think. Note that in typical implementations, all the IDN normalizations have
occurred before getting to the actual HSTS implementation. there's this text in
Section 8. User Agent Processing Model...
This processing model assumes that the UA implements IDNA2008
[RFC5890], or possibly IDNA2003 [RFC3490], as noted in Section 13
"Internationalized Domain Names for Applications (IDNA): Dependency
and Migration". It also assumes that all domain names manipulated in
this specification's context are already IDNA-canonicalized as
outlined in Section 9 "Domain Name IDNA-Canonicalization" prior to
the processing specified in this section.
The above assumptions mean that this processing model also
specifically assumes that appropriate IDNA and Unicode validations
and character list testing have occurred on the domain names, in
conjunction with their IDNA-canonicalization, prior to the processing
specified in this section. See the IDNA-specific security
considerations in Section 14.8 "Internationalized Domain Names" for
rationale and further details.
So, if folks indeed wish IDN refs to be Normative, I'll move 'em back.
Also please point out any other refs y'all think should be in the Normative
section but aren't.
thanks,
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
