ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Gen-art] Gen-ART LC Review of draft-ietf-websec-strict-transport-sec-11

2012-08-10 09:19:35
from [Ben Campbell] [Permanent Link] 
Jeff and I had a f2f discussion about this point in Vancouver. To paraphrase 
(and I assume he will correct me if if I mischaracterize anything), Jeff 
indicated that this really wasn't a MUST level requirement due to the variation 
and vagaries in application behavior and abilities. Rather, it's more of a "do 
the best you can" sort of thing. Specifically, he indicated that an 
implementation that chose to go ahead and serve unprotected content due to the 
listed caveats on redirecting to HTTPS would necessarily be out-of-compliance.

If the requirement really that you SHOULD NOT (rather than MUST NOT) serve 
unprotected content, then I think the original language is okay.

Thanks!

Ben.

On Aug 9, 2012, at 6:03 PM, Alexey Melnikov 
<alexey(_dot_)melnikov(_at_)isode(_dot_)com> wrote:


On 02/08/2012 10:46, Ben Campbell wrote:

Hi, thanks for the response.  Comments inline:

On Jul 29, 2012, at 10:29 PM, =JeffH 
<Jeff(_dot_)Hodges(_at_)kingsmountain(_dot_)com> wrote:

[...]

-- section 7.2:

Am I correct to assume that the server must never just serve the content 
over
a non-secure connection? If so, it would be helpful to mention that, maybe
even normatively.

It's a SHOULD, see the Note in that section, so it's already effectively 
stated normatively, though one needs to understand HTTP workings to realize 
it in the way you stated it above.  Perhaps could add a simple statement as 
you suggest to the intro para for section 7 Server Processing Model, to 
address this concern?


I think something of the form SHOULD redirect to HTTPS, but MUST NOT under 
any circumstances send the content unprotected would improve the text.


Sounds good to me. (And yes, this is implied, but it doesn't hurt to state 
explicitly.)


That's probably already implied, and a reasonable implementor wouldn't due 
it anyway. But my experience is that some readers will find strange 
interpretations whenever you give them the wiggle room to do so, so it's 
better to be explicit.



_______________________________________________
Gen-art mailing list
Gen-art(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/gen-art
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: So, where to repeat?, Michael Richardson
Next by Date:  Re: ITU-T Dubai Meeting, Phillip Hallam-Baker
Previous by Thread:  Re: Gen-ART LC Review of draft-ietf-websec-strict-transport-sec-11, Tobias Gondrom
Next by Thread:  Re: Gen-ART LC Review of draft-ietf-websec-strict-transport-sec-11, =JeffH
Indexes:  [Date] [Thread] [Top] [All Lists]