ietf
[Top] [All Lists]

Re: Gen-ART LC Review of draft-ietf-websec-strict-transport-sec-11

2012-08-10 16:34:40
Thanks Ben.

> Jeff and I had a f2f discussion about this point in Vancouver. To paraphrase
> (and I assume he will correct me if if I mischaracterize anything), Jeff
> indicated that this really wasn't a MUST level requirement due to the
> variation and vagaries in application behavior and abilities.

Yes, see the NOTE in section 7.2.

> Rather, it's
> more of a "do the best you can" sort of thing. Specifically, he indicated
> that an implementation that chose to go ahead and serve unprotected content
> due to the listed caveats on redirecting to HTTPS would necessarily be
> out-of-compliance.

I presume you actually mean "not necessarily", which would then be correct, unless I'm misunderstanding something.


> If the requirement really that you SHOULD NOT (rather than MUST NOT) serve
> unprotected content, then I think the original language is okay.

agreed.

thanks,

=JeffH