New rev: https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14
please see change log excerpt included below for details. This rev addresses comments raised during IESG review..
https://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/ballot/ All issue tickets are closed. full issue ticket list for strict-transport-sec: <http://trac.tools.ietf.org/wg/websec/trac/query?status=assigned&status=closed&status=new&status=reopened&component=strict-transport-sec&order=id> Redline spec diff from previous rev: https://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-websec-strict-transport-sec-14.txt side-by-side diff from previous rev: https://tools.ietf.org/rfcdiff?url2=draft-ietf-websec-strict-transport-sec-14.txt Change Log for this rev is below. =JeffH ============================================================== Appendix D. Change Log [RFCEditor: please remove this section upon publication as an RFC.] Changes are grouped by spec revision listed in reverse issuance order. D.1. For draft-ietf-websec-strict-transport-sec Changes from -13 to -14: 1. Added a new subsection entitled "Considerations for Offering Unsecured HTTP Services at Alternate Ports or Subdomains of an HSTS Host" to section 11.4 "Implications of includeSubDomains". This is addresses Robert Sparks' Discuss point (1): <https://datatracker.ietf.org/doc/ draft-ietf-websec-strict-transport-sec/ballot/#robert-sparks> Also s/flag/directive/ for all uses of e.g. "includeSubDomains flag", and noted that the presence of an includeSubDomains directive in an STS header field means it is "asserted". 2. Added a definition of an expired known HSTS Host, as well as a stipulation that the UA must evict expired known HSTS hosts from the cache (to section 8.1.1 "Noting an HSTS Host - Storage Model"). Added an "unexpired" adjective appropriately to section 8.2 "Known HSTS Host Domain Name Matching". This is addresses Robert Sparks' Discuss point (2): <https:// datatracker.ietf.org/doc/ draft-ietf-websec-strict-transport-sec/ballot/#robert-sparks> 3. Added a note 14.4 reason for clients to consider providing a way for users to remove entries from the cache. This is addresses Robert Sparks' first Comment: <https:// datatracker.ietf.org/doc/ draft-ietf-websec-strict-transport-sec/ballot/#robert-sparks> 4. Noted in 2nd para of section 7.1 that HTTP is running over secure transport. This is addresses Robert Sparks' second comment ("nit"): <https://datatracker.ietf.org/doc/ draft-ietf-websec-strict-transport-sec/ballot/#robert-sparks> 5. Struck the "or perhaps others" phrase from Section 7. Added Section 14 "Underlying Secure Transport Considerations" to Sec Cons. This is addresses a portion of Eric Rescorla's feedback. 6. Added a NOTE to Section 8.3 URI Loading and Port Mapping regarding non-HTTPS servers running at non-standard ports identified in URIs. Added item (6) to Appendix A explaining the port mapping design decision. This addresses the other portion of EKR's feedback. Changes from -12 to -13: <snip/> --- end _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
