Re: [websec] #39: appropriately acknowlege and accommodate DANE

Fri, 20 Apr 2012 14:19:03 -0700 

Paul Hoffman noted:
> On Apr 20, 2012, at 10:50 AM, =JeffH wrote:
>
>> > #39: appropriately acknowlege and accommodate DANE
>> http://trac.tools.ietf.org/wg/websec/trac/ticket/39
>>
>>
>> fyi & comment, the text I presently have in my working copy of -07 is..
>>
>>                     .
>>                     .
>>                     .
>> 2.2.  HTTP Strict Transport Security Policy Effects
>>
>>   The effects of the HTTP Strict Transport Security (HSTS) Policy, as
>>   applied by a UA in interactions with a web resource host wielding
>>   such policy (known as a HSTS Host), are summarized as follows:
>>                     .
>>                     .
>>   2.  The UA terminates any secure transport connection attempts upon
>>       any and all secure transport errors or warnings, including those
>>       caused by a web application presenting a certificate matching a
>>       trusted certificate association as denoted via the DANE protocol
>>       [I-D.ietf-dane-protocol], or any other form of self-signed
>>       certificate that does not chain to a trust anchor in the UA or
>>       operating system CA root certificate store.
>
> I don't think this is what you meant. It sounds like that using DANE is considered a transport error or warning. Proposed fix: 
>
>    2.  The UA terminates any secure transport connection attempts upon
>        any and all secure transport errors or warnings, including those
>        caused by a web application presenting self-signed certificates
>        that do not chain to a trust anchor in the UA or operating system
>        CA root certificate store, except when the self-signed certificate
>        is part of a validated certificate association as defined in
>        [I-D.ietf-dane-protocol].


thanks.

hm...
In looking at this section, which is attempting to only (non-normatively) summarize the effects of the HSTS policy, it occurs to me it should be streamlined down to.. 


   2.  The UA terminates any secure transport connection attempts upon
       any and all secure transport errors or warnings.


..because section 10.2 now addresses details wrt "self-signed certs" and such.


Section 2.2 in my working copy is now..

###
2.2.  HTTP Strict Transport Security Policy Effects

   The effects of the HTTP Strict Transport Security (HSTS) Policy, as
   applied by a conformant UA in interactions with a web resource host
   wielding such policy (known as a HSTS Host), are summarized as
   follows:

   1.  UAs transform insecure URI references to a HSTS Host into secure
       URI references before dereferencing them.

   2.  The UA terminates any secure transport connection attempts upon
       any and all secure transport errors or warnings.
###


=JeffH



_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Reply via email to