On Aug 18, 2012, at 1:55 AM, =JeffH wrote: > Yoav Nir noted: >> >> As a reminder, the proposed resolution is as follows: >> >> * Do not establish a registry now >> Let the first new header field specification establish it >> >> * A client that gets an unknown field ignores it >> This means no mandatory-to-understand extensions > > Thanks, Yoav. > > I'd also noted that we need to decide on a IANA policy to declare.
Do we need to do this? Assuming the proposed resolution achieves consensus (and there have been no nays yet), we're not setting up a registry. I don't think we get to set a policy for a registry we're not setting up. > My original message is here.. > > https://www.ietf.org/mail-archive/web/websec/current/msg01315.html > > ..and I suggested that, since HSTS is a security policy, I lean towards > wanting > to have relatively rigorous review applied to any registry and its contents > created for HSTS directives and thus am thinking a policy of "IETF Review" is > what we ought to state (for "FOO" in the below excerpt from -12 at the end of > section 6.1).. > > Additional directives extending the semantic functionality of the STS > header field can be defined in other specifications, with a registry > (having an IANA policy definition of FOO [RFC5226]) defined for them > at such time. > > NOTE: Such future directives will be ignored by UAs implementing > only this specification, as well as by generally non- > conforming UAs. See Section 14.1 "Non-Conformant User Agent > Implications" for further discussion. > HSTS is a security policy. Suppose an extension requires that the certificate contain a logo. Is that security-relevant? According to section 2 of RFC 5226, policies are made to avoid hoarding of resources (I don't think that's relevant here), and to make sure it makes sense. I think "expert review" would be OK, but I don't think we need to bother with deciding this now. Yoav _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
