Hi,
Tobias wrote..
>
> I would like to ask for feedback/opinions from the WG on this draft
> regarding the following open issue:
>
> - in Paris we had a discussion about whether HSTS header should specify
> a "I am testing HSTS" directive. There was some support for this in the
> room but no consensus.
ptr to meeting minutes below at [1].
> I would like to make a final invitation for comments/views/opinions on this?
Please also note that I comment on this near the end of this recent message..
Re: [websec] Issue #41 add parameter indicating whether to hardfail or not
https://www.ietf.org/mail-archive/web/websec/current/msg01213.html
Here's what I wrote in that msg:
In the Paris WG session, the discussion of the above morphed to thinking about
having a new "this site is testing HSTS" directive.
In thinking about this, we don't think it is really necessary because if one
declares one's web app as being HSTS, one can watch server logs to see if any
requests come in over plain http, and then go track those issues down. You
don't really need the user agent's help to figure out what is happening. It's
just going to mechanically transform all http URIs pointing to your site into
https ones, and try to load them, and if they 404, you'll know it (via your logs).
It's arguably different with Content Security Policy (CSP) -- which is where
the discussed notion came from ("report-only") -- because in CSP, the user
agent is enforcing policy on loaded content within itself and there may be no
other way to figure out what it's doing.
> - And as this is somehow related:
> the still open #41: should HSTS have an option like "hardfail=no"?
> Our meeting discussion in Paris did not show consensus in support of this.
And I commented on that in the beginning of the above-mentioned message.
HTH,
=JeffH
[1]
> and just in case anyone wants to read up on our meeting minutes from Paris:
> http://www.ietf.org/proceedings/83/minutes/minutes-83-websec.txt
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
