New rev:
http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt
With this rev, all issue tickets are now nominally addressed. Full
change log
below, and full -04 announcement message at end.
Changes from -04 to -05 address: 33, 36
Changes from -03 to -04 address: 13, 14, 27, 28, 29, 30, 31, 32, 33, 34,
35, 36
Changes from -02 to -03 address: 14, 26, 27
Changes from -01 to -02 address: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
full issue ticket list for strict-transport-sec:
<http://trac.tools.ietf.org/wg/websec/trac/query?status=assigned&status=closed&status=new&status=reopened&component=strict-transport-sec&order=id>
Diff from previous version:
http://tools.ietf.org/rfcdiff?url2=draft-ietf-websec-strict-transport-sec-05
=JeffH
==============================================================
Appendix D. Change Log
[RFCEditor: please remove this section upon publication as an RFC.]
Changes are grouped by spec revision listed in reverse issuance
order.
D.1. For draft-ietf-websec-strict-transport-sec
Changes from -04 to -05:
1. Fixed up references to move certain ones back to the normative
section -- as requested by Alexey M. Added explanation for
referencing obsoleted [RFC3490] and [RFC3492]. This addresses
issue ticket #36.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/36>
2. Made minor change to Strict-Transport-Security header field
ABNF in order to address further feedback as appended to
ticket #33. This addresses issue ticket #33.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/33>
Changes from -03 to -04:
1. Clarified that max-age=0 will cause UA to forget a known HSTS
host, and more generally clarified that the "freshest" info
from the HSTS host is cached, and thus HSTS hosts are able to
alter the cached max-age in UAs. This addresses issue ticket
#13. <http://trac.tools.ietf.org/wg/websec/trac/ticket/13>
2. Updated section on "Constructing an Effective Request URI" to
remove remaining reference to RFC3986 and reference RFC2616
instead. Further addresses issue ticket #14.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/14>
3. Addresses further ABNF issues noted in comment:1 of issue
ticket #27. <http://trac.tools.ietf.org/wg/websec/trac/
ticket/27#comment:1>
4. Reworked the introduction to clarify the denotation of "HSTS
policy" and added the new Appendix B summarizing the primary
characteristics of HSTS Policy and Same-Origin Policy, and
identifying their differences. Added ref to [RFC4732]. This
addresses issue ticket #28.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/28>
5. Reworked language in Section 2.3.1.3. wrt "mixed content",
more clearly explain such vulnerability, disambiguate "mixed
content" in web security context from its usage in markup
language context. This addresses issue ticket #29.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/29>
6. Expanded Denial of Service discussion in Security
Considerations. Added refs to [RFC4732] and [CWE-113]. This
addresses issue ticket #30.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/30>
7. Mentioned in prose the case-insensitivity of directive names.
This addresses issue ticket #31.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/31>
8. Added Section 10.3 "Implications of includeSubDomains". This
addresses issue ticket #32.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/32>
9. Further refines text and ABNF definitions of STS header field
directives. Retains use of quoted-string in directive
grammar. This addresses issue ticket #33.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/33>
10. Added Section 14.7 "Creative Manipulation of HSTS Policy
Store", including reference to [WebTracking]. This addresses
issue ticket #34.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/34>
11. Added Section 14.1 "Ramifications of HSTS Policy
Establishment only over Error-free Secure Transport" and made
some accompanying editorial fixes in some other sections.
This addresses issue ticket #35.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/35>
Hodges, et al. Expires September 10, 2012 [Page 38]
�
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
12. Refined references. Cleaned out un-used ones, updated to
latest RFCs for others, consigned many to Informational.
This addresses issue ticket #36.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/36>
13. Fixed-up some inaccuracies in the "Changes from -02 to -03"
section.
Changes from -02 to -03:
1. Updated section on "Constructing an Effective Request URI" to
remove references to RFC3986. Addresses issue ticket #14.
<http://trac.tools.ietf.org/wg/websec/trac/ticket/14>
2. Reference RFC5890 for IDNA, retaining subordinate refs to
RFC3490. Updated IDNA-specific language, e.g. domain name
canonicalization and IDNA dependencies. Addresses issue
ticket #26
<http://trac.tools.ietf.org/wg/websec/trac/ticket/26>.
3. Completely re-wrote the STS header ABNF to be fully based on
RFC2616, rather than a hybrid of RFC2616 and httpbis.
Addresses issue ticket #27
<http://trac.tools.ietf.org/wg/websec/trac/ticket/27>.
Changes from -01 to -02:
1. Updated Section 8.2 "URI Loading and Port Mapping" fairly
thoroughly in terms of refining the presentation of the
steps, and to ensure the various aspects of port mapping are
clear. Nominally fixes issue ticket #1
<http://trac.tools.ietf.org/wg/websec/trac/ticket/1>
2. Removed dependencies on
[I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS
ABNF in Section 6.1 "Strict-Transport-Security HTTP Response
Header Field" by lifting some productions entirely from
[I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging
[RFC2616]. Addresses issue ticket #2
<http://trac.tools.ietf.org/wg/websec/trac/ticket/2>.
3. Updated Effective Request URI section and definition to use
language from [I-D.draft-ietf-httpbis-p1-messaging-15] and
ABNF from [RFC2616]. Fixes issue ticket #3
<http://trac.tools.ietf.org/wg/websec/trac/ticket/3>.
4. Added explicit mention that the HSTS policy applies to all
TCP ports of a host advertising the HSTS policy. Nominally
fixes issue ticket #4
<http://trac.tools.ietf.org/wg/websec/trac/ticket/4>
5. Clarified the need for the "includeSubDomains" directive,
e.g. to protect Secure-flagged domain cookies. In
Section 14.2 "The Need for includeSubDomains". Nominally
fixes issue ticket #5
<http://trac.tools.ietf.org/wg/websec/trac/ticket/5>
6. Cited Firesheep as real-live threat in Section 2.3.1.1
"Passive Network Attackers". Nominally fixes issue ticket #6
<http://trac.tools.ietf.org/wg/websec/trac/ticket/6>.
7. Added text to Section 11 "User Agent Implementation Advice"
justifying connection termination due to tls warnings/errors.
Nominally fixes issue ticket #7
<http://trac.tools.ietf.org/wg/websec/trac/ticket/7>.
8. Added new subsection Section 8.5 "Interstitially Missing
Strict-Transport-Security Response Header Field". Nominally
fixes issue ticket #8
<http://trac.tools.ietf.org/wg/websec/trac/ticket/8>.
9. Added text to Section 8.3 "Errors in Secure Transport
Establishment" explicitly note revocation check failures as
errors causing connection termination. Added references to
[RFC5280] and [RFC2560]. Nominally fixes issue ticket #9
<http://trac.tools.ietf.org/wg/websec/trac/ticket/9>.
10. Added a sentence, noting that distributing specific end-
entity certificates to browsers will also work for self-
signed/private-CA cases, to Section 10 "Server Implementation
and Deployment Advice" Nominally fixes issue ticket #10
<http://trac.tools.ietf.org/wg/websec/trac/ticket/10>.
11. Moved "with no user recourse" language from Section 8.3
"Errors in Secure Transport Establishment" to Section 11
"User Agent Implementation Advice". This nominally fixes
issue ticket #11
<http://trac.tools.ietf.org/wg/websec/trac/ticket/11>.
12. Removed any and all dependencies on
[I-D.draft-ietf-httpbis-p1-messaging-15], instead depending
on [RFC2616] only. Fixes issue ticket #12
<http://trac.tools.ietf.org/wg/websec/trac/ticket/12>.
13. Removed the inline "XXX1" issue because no one had commented
on it and it seems reasonable to suggest as a SHOULD that web
apps should redirect incoming insecure connections to secure
connections.
14. Removed the inline "XXX2" issue because it was simply for
raising consciousness about having some means for
distributing secure web application metadata.
15. Removed "TODO1" because description prose for "max-age" in
the Note following the ABNF in Section 6 seems to be fine.
16. Decided for "TODO2" that "the first STS header field wins".
TODO2 had read: "Decide UA behavior in face of encountering
multiple HSTS headers in a message. Use first header?
Last?". Removed TODO2.
17. Added Section 1.1 "Organization of this specification" for
readers' convenience.
18. Moved design decision notes to be a proper appendix
Appendix A.
Changes from -00 to -01:
1. Changed the "URI Loading" section to be "URI Loading and Port
Mapping".
2. [HASMAT] reference changed to [WEBSEC].
3. Changed "server" -> "host" where applicable, notably when
discussing "HSTS Hosts". Left as "server" when discussing
e.g. "http server"s.
4. Fixed minor editorial nits.
Changes from draft-hodges-strict-transport-sec-02 to
draft-ietf-websec-strict-transport-sec-00:
1. Altered spec metadata (e.g. filename, date) in order to submit
as a WebSec working group Internet-Draft.
D.2. For draft-hodges-strict-transport-sec
Changes from -01 to -02:
1. updated abstract such that means for expressing HSTS Policy
other than via HSTS header field is noted.
2. Changed spec title to "HTTP Strict Transport Security (HSTS)"
from "Strict Transport Security". Updated use of "STS"
acronym throughout spec to HSTS (except for when specifically
discussing syntax of Strict-Transport-Security HTTP Response
Header field), updated "Terminology" appropriately.
3. Updated the discussion of "Passive Network Attackers" to be
more precise and offered references.
4. Removed para on nomative/non-normative from "Conformance
Criteria" pending polishing said section to IETF RFC norms.
5. Added examples subsection to "Syntax" section.
6. Added OWS to maxAge production in Strict-Transport-Security
ABNF.
7. Cleaned up explanation in the "Note:" in the "HTTP-over-
Secure-Transport Request Type" section, folded 3d para into
"Note:", added conformance clauses to the latter.
8. Added exaplanatory "Note:" and reference to "HTTP Request
Type" section. Added "XXX1" issue.
9. Added conformance clause to "URI Loading".
10. Moved "Notes for STS Server implementors:" from "UA
Implementation dvice " to "HSTS Policy expiration time
considerations:" in "Server Implementation Advice", and also
noted another option.
11. Added cautionary "Note:" to "Ability to delete UA's cached
HSTS Policy on a per HSTS Server basis".
12. Added some informative references.
13. Various minor editorial fixes.
Changes from -00 to -01:
1. Added reference to HASMAT mailing list and request that this
spec be discussed there.
==============================================================
Subject: [websec] I-D Action:
draft-ietf-websec-strict-transport-sec-05.txt
From: [email protected]
Date: Fri, 09 Mar 2012 13:00:09 -0800
To: [email protected]
Cc: [email protected]
A New Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the Web Security Working
Group of the IETF.
Title : HTTP Strict Transport Security (HSTS)
Author(s) : Jeff Hodges
Collin Jackson
Adam Barth
Filename : draft-ietf-websec-strict-transport-sec-05.txt
Pages : 43
Date : 2012-03-09
This specification defines a mechanism enabling Web sites to declare
themselves accessible only via secure connections, and/or for users
to be able to direct their user agent(s) to interact with given sites
only over secure connections. This overall policy is referred to as
HTTP Strict Transport Security (HSTS). The policy is declared by Web
sites via the Strict-Transport-Security HTTP response header field,
and/or by other means, such as user agent configuration, for example.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt
==============================================================
end
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
