On Apr 20, 2012, at 10:50 AM, =JeffH wrote:
> > #39: appropriately acknowlege and accommodate DANE
> http://trac.tools.ietf.org/wg/websec/trac/ticket/39
>
>
> fyi & comment, the text I presently have in my working copy of -07 is..
>
> .
> .
> .
> 2.2. HTTP Strict Transport Security Policy Effects
>
> The effects of the HTTP Strict Transport Security (HSTS) Policy, as
> applied by a UA in interactions with a web resource host wielding
> such policy (known as a HSTS Host), are summarized as follows:
> .
> .
> 2. The UA terminates any secure transport connection attempts upon
> any and all secure transport errors or warnings, including those
> caused by a web application presenting a certificate matching a
> trusted certificate association as denoted via the DANE protocol
> [I-D.ietf-dane-protocol], or any other form of self-signed
> certificate that does not chain to a trust anchor in the UA or
> operating system CA root certificate store.
I don't think this is what you meant. It sounds like that using DANE is
considered a transport error or warning. Proposed fix:
2. The UA terminates any secure transport connection attempts upon
any and all secure transport errors or warnings, including those
caused by a web application presenting self-signed certificates
that do not chain to a trust anchor in the UA or operating system
CA root certificate store, except when the self-signed certificate
is part of a validated certificate association as defined in
[I-D.ietf-dane-protocol].
--Paul Hoffman
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
