[websec] Issue that came up about HSTS

Fri, 26 Oct 2012 23:42:56 -0700 

Hi all

draft-ietf-websec-strict-transport-sec is now being edited by the RFC editor. 
An issue has come up. We need to resolve this quickly, so please read the 
following and reply to the list with your opinions.

Section 8.4 begins as follows:


8.4. Errors in Secure Transport Establishment

  When connecting to a Known HSTS Host, the UA MUST terminate the
  connection (see also Section 12 "User Agent Implementation Advice")
  if there are any errors, whether "warning" or "fatal" or any other
  error level, with the underlying secure transport.  For example, this
  includes any errors found in certificate validity checking UAs employ
  such as via Certificate Revocation Lists (CRL) [RFC5280], or via the
  Online Certificate Status Protocol (OCSP) [RFC2560].

The list of example ways that the UA employs to validate certificates includes 
CRLs and OCSP. The authors believe that the list should be extended to also 
include a reference to the succinctly-named RFC 6125 ("Representation and 
Verification of Domain-Based Application Service Identity within Internet 
Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of 
Transport Layer Security (TLS)"). See the below suggested text, the new stuff 
begins with "as well as" on the penultimate line.


8.4. Errors in Secure Transport Establishment

  When connecting to a Known HSTS Host, the UA MUST terminate the
  connection (see also Section 12 "User Agent Implementation Advice")
  if there are any errors, whether "warning" or "fatal" or any other
  error level, with the underlying secure transport.  For example, this
  includes any errors found in certificate validity checking UAs employ
  such as via Certificate Revocation Lists (CRL) [RFC5280], or via the
  Online Certificate Status Protocol (OCSP) [RFC2560], as well as via
  server identity checking [RFC6125]. 

Note that this is not an additional Last Call. If nobody strongly objects to 
this addition, we will add it. We have already heard from Barry that this 
addition is fine, and will not require a new LC.

Please respond soon, as the RFC editor is working on this document now.

Thanks

Yoav

_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Reply via email to