> -----Original Message----- > From: Alexey Melnikov [mailto:[email protected]] > > Maybe this is not a good example, but I am thinking that something like > OCSP retrieval failing on the client side is not something that would > show up in the webserver logs.
Sure, but doesn't the OCSP site know whether it has set HSTS? > > There is however "I am testing DKIM" flag published in DNS. Yep, but here you may not know all your sources of email, all of the domains, senders, etc. you could have an outsourcer sending mail on your behalf that you don't know about, haven't inventoried, etc. For HSTS that can't be the case. For HSTS you do know exactly what domain/host you're applying HSTS to. You don't necessarily know all of the inbound links, but you don't know that before HSTS an so you watch your weblogs for 404's for example to see typo'd links, inbound errors, etc. My contention is we already have this problem solved, and don't need a testing mode for it like this as there aren't any cases where the browser won't at least try to connect, and you can have an endpoint there ready/willing/able to listen to the request that is made. If nothing else you could put up a packet sniffer. - Andy _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
