Re: [websec] handling STS header field extendability

Sat, 18 Aug 2012 03:44:47 -0700 

On 18/08/12 07:21, Yoav Nir wrote:

On Aug 18, 2012, at 1:55 AM, =JeffH wrote:


Yoav Nir noted:

As a reminder, the proposed resolution is as follows:

* Do not establish a registry now
      Let the first new header field specification establish it

* A client that gets an unknown field ignores it
      This means no mandatory-to-understand extensions

Thanks, Yoav.

I'd also noted that we need to decide on a IANA policy to declare.

Do we need to do this?  Assuming the proposed resolution achieves consensus 
(and there have been no nays yet), we're not setting up a registry. I don't 
think we get to set a policy for a registry we're not setting up.


<hat="WG chair">
AFAIK from an administrative perspective, Yoav is right.
In general we set the IANA policy for registry updates at creation of the registry. So no need to do it here without the registry (assuming we don't create an IANA registry). 







My original message is here..

   https://www.ietf.org/mail-archive/web/websec/current/msg01315.html

..and I suggested that, since HSTS is a security policy, I lean towards wanting
to have relatively rigorous review applied to any registry and its contents
created for HSTS directives and thus am thinking a policy of "IETF Review" is
what we ought to state (for "FOO" in the below excerpt from -12 at the end of
section 6.1)..

    Additional directives extending the semantic functionality of the STS
    header field can be defined in other specifications, with a registry
    (having an IANA policy definition of FOO [RFC5226]) defined for them
    at such time.

    NOTE:  Such future directives will be ignored by UAs implementing
           only this specification, as well as by generally non-
           conforming UAs.  See Section 14.1 "Non-Conformant User Agent
           Implications" for further discussion.


HSTS is a security policy. Suppose an extension requires that the certificate contain a 
logo. Is that security-relevant?  According to section 2 of RFC 5226, policies are made 
to avoid hoarding of resources (I don't think that's relevant here), and to make sure it 
makes sense. I think "expert review" would be OK, but I don't think we need to 
bother with deciding this now.

Yoav

_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec


_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Reply via email to