From tobias.gondrom@gondrom.org Sat Mar 3 08:07:57 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B30B21F86C7 for ; Sat, 3 Mar 2012 08:07:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.778 X-Spam-Level: X-Spam-Status: No, score=-96.778 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKF4M+VBsczP for ; Sat, 3 Mar 2012 08:07:56 -0800 (PST) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id ADA4721F86C2 for ; Sat, 3 Mar 2012 08:07:55 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=MCHIWih1SdG5aGOVmeGWRYlj3wX69Kqu3b1KvS6dOM38Sm6HuvhzHgs3cwcWAHCGp4EUb6xQu2m4zsGs/fOlCSV7yV0X13jXkOqH4BirW/YAWpTQ9oaLANVhzdHP1gP8; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 21789 invoked from network); 3 Mar 2012 17:07:31 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Mar 2012 17:07:31 +0100 Message-ID: <4F5241C3.6070401@gondrom.org> Date: Sat, 03 Mar 2012 16:07:31 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: websec@ietf.org References: <20120202220021.31936.37346.idtracker@ietfa.amsl.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] Fwd: I-D Action: draft-nir-websec-extended-origin-00.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2012 16:07:57 -0000 Hello Yoav, thank you for the interesting draft. I have a few points as feedback: - the 3-tupel of origin consists of "real" parameters (protocol, URL, port), while the introduction of the 4th tupel feels like an artificial parameter extension as it is not mapped to anything visible to the client and in fact will be spliced by the middle-server (vpn server). This makes me very hesitant, whether this would be a good idea. - As Adam mentioned that there will be migration problems. At the moment all browsers and other systems operate on the SOP with 3-tupel to compare for identity. It will be difficult (read: near impossible) to enforce that all deployed systems out there shall from now on be compliant with a 4-tupel and no longer assume identity of two sites when only the first three parameters are equal. So, although I agree that economic reasons are absolutely viable reasons for such an idea, I have concerns that this draft is only a workaround for certain closed areas (i.e. where a company can basically enforce that all accessing clients are in fact updated using such a 4-tupel policy) but will create severe consistency issues in the Internet where you would then see a mix of 3-tupel and 4-tupel clients, with the risk of messing up the predictability of handling of SOP. Maybe a question regarding the use cases: As in general, systems use sub-domains for such purpose (as explained by you and James), I am wondering whether there are other scenarios (beyond VPN) that may need this 4th origin parameter? Best regards, Tobias On 02/02/12 22:54, Yoav Nir wrote: > Hi > > I have just submitted this draft. The purpose of this is to address > the case where a single portal hides several real servers behind it, > by translating their URLs into URL that seem to be from that server. > > In that case the same origin policy is not enforced correctly, because > cookies and scripts from one server behind the portal (for example, a > mail server) can be shared and can affect pages form another server > behind the same portal. > > This draft proposes a header that will tell the client (browser) what > the real origin is, and allow the client to apply the SOP. > > If people find this interesting, I would like to discuss this in > Paris. Any comments will be greatly appreciated. > > Yoav > > Begin forwarded message: > >> *From: *"internet-drafts@ietf.org " >> > >> *Subject: **I-D Action: draft-nir-websec-extended-origin-00.txt* >> *Date: *February 3, 2012 12:00:21 AM GMT+02:00 >> *To: *"i-d-announce@ietf.org " >> > >> *Reply-To: *"internet-drafts@ietf.org >> " > > >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> >> Title : A More Granular Web Origin Concept >> Author(s) : Yoav Nir >> Filename : draft-nir-websec-extended-origin-00.txt >> Pages : 8 >> Date : 2012-02-02 >> >> This document defines an HTTP header that allows to partition a >> single origin as defined in RFC 6454 into multiple origins, so that >> the same origin policy applies among them. >> >> The header introduced in this document allows the portal to specify >> that resources that appear to be from the same origin should, in >> fact, be treated as though they are from different origins, by >> extending the 3-tuple of the origin to a 4-tuple. The user agent is >> expected to apply the same-origin policy according to the 4-tuple >> rather than the 3-tuple. >> >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-nir-websec-extended-origin-00.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> This Internet-Draft can be retrieved at: >> ftp://ftp.ietf.org/internet-drafts/draft-nir-websec-extended-origin-00.txt > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec From ynir@checkpoint.com Sun Mar 4 15:05:24 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B033A21F85C9 for ; Sun, 4 Mar 2012 15:05:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.459 X-Spam-Level: X-Spam-Status: No, score=-10.459 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2Ex92WGJvyc for ; Sun, 4 Mar 2012 15:05:24 -0800 (PST) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 887E721F85C4 for ; Sun, 4 Mar 2012 15:05:23 -0800 (PST) X-CheckPoint: {4F53F09C-0-1B221DC2-1FFFF} Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q24N5JuY014924; Mon, 5 Mar 2012 01:05:19 +0200 Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Mon, 5 Mar 2012 01:05:18 +0200 Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Mon, 5 Mar 2012 01:05:18 +0200 From: Yoav Nir To: Tobias Gondrom Date: Mon, 5 Mar 2012 01:05:16 +0200 Thread-Topic: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt Thread-Index: Acz6W0QSMpAHROHNQGiWT/OR2UbRHA== Message-ID: <617BD1C6-7285-49BA-B953-6286AF3887FB@checkpoint.com> References: <20120202220021.31936.37346.idtracker@ietfa.amsl.com> <4F5241C3.6070401@gondrom.org> In-Reply-To: <4F5241C3.6070401@gondrom.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-KSE-AntiSpam-Interceptor-Info: protection disabled Cc: "websec@ietf.org" Subject: Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Mar 2012 23:05:24 -0000 Hi Tobias, Replies inline. On Mar 3, 2012, at 6:07 PM, Tobias Gondrom wrote: > Hello Yoav, >=20 > thank you for the interesting draft. >=20 > >=20 > I have a few points as feedback: > - the 3-tupel of origin consists of "real" parameters (protocol, URL,=20 > port), while the introduction of the 4th tupel feels like an artificial=20 > parameter extension as it is not mapped to anything visible to the=20 > client and in fact will be spliced by the middle-server (vpn server).=20 > This makes me very hesitant, whether this would be a good idea. As far as the client is concerned, there is only one server. If that server= does not give any hints to the client, it's going to treat all these diffe= rent resources as belonging to the same origin. So it does map to something= the server sends. > - As Adam mentioned that there will be migration problems. > At the moment all browsers and other systems operate on the SOP with=20 > 3-tupel to compare for identity. It will be difficult (read: near=20 > impossible) to enforce that all deployed systems out there shall from=20 > now on be compliant with a 4-tupel and no longer assume identity of two=20 > sites when only the first three parameters are equal. >=20 > So, although I agree that economic reasons are absolutely viable reasons= =20 > for such an idea, I have concerns that this draft is only a workaround=20 > for certain closed areas (i.e. where a company can basically enforce=20 > that all accessing clients are in fact updated using such a 4-tupel=20 > policy) but will create severe consistency issues in the Internet where=20 > you would then see a mix of 3-tupel and 4-tupel clients, with the risk=20 > of messing up the predictability of handling of SOP. Actually, SSL VPNs are deployed where the company has no control over the c= lients. Sure you can enforce that users only use one kind of browser, but t= ypically SSL VPNs are deployed so as to support any type of client, from ph= ones to desktop. Companies that have that level of control tend to equip th= eir employees with laptops that run IPsec VPNs.=20 However, these SSL VPN portals exist today, and hide multiple servers behin= d a single hostname and port. Typically these will be mostly internal serve= rs with a few external ones. For example, our deployment has the mail serve= r (OWA), the internal Wiki, The automated build system, the SAP web applica= tion, and the web application of an external service provider that delivers= lunch. These are not just random sites on the Internet, but specific serve= rs that the administrator has chosen. The way these are deployed now, the l= unch service provider can steal the cookies from the mail server, or script= it. Having the SSL VPN server provide this extra information might help se= curity (if the browsers use that information). It won't make it worse. > Maybe a question regarding the use cases: > As in general, systems use sub-domains for such purpose (as explained by= =20 > you and James), I am wondering whether there are other scenarios (beyond= =20 > VPN) that may need this 4th origin parameter? I guess any HTTP reverse proxy may hide multiple servers behind it. Reverse= proxies are used for caching, load balancing, access control to web applic= ation. Even CDNIs are a type of reverse proxy. I believe that SSL VPNs are = a little different. The other types of reverse proxy are typically installe= d and maintained by experts. SSL VPNs are installed and maintained by peopl= e whose knowledge of networking can range from "NOC team material" to "the = CEOs nephew who's really good with computers". So I think all reverse proxi= es could benefit from a 4th origin parameter, but I think most of the other= s can work around that need, while some SSL VPN customers can't. Yoav From tobias.gondrom@gondrom.org Mon Mar 5 10:14:17 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5A8221F87EE for ; Mon, 5 Mar 2012 10:14:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.778 X-Spam-Level: X-Spam-Status: No, score=-96.778 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jUDSbPYgB0kF for ; Mon, 5 Mar 2012 10:14:17 -0800 (PST) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 9002E21F87EA for ; Mon, 5 Mar 2012 10:14:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=YO6IqFFd2jc2hPnsHOG1zoOjs/5tyK9CZuSMeYL/S7M2HaU8yXMhvbnc4tk2zg0p2LpFXK0CMIn8KzJEXBNToyy5WPM3e/9bvCR/KTdeK4j5NE33kg5XuuuBe2wjJ+ON; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 16106 invoked from network); 5 Mar 2012 19:14:12 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 5 Mar 2012 19:14:12 +0100 Message-ID: <4F550274.2060408@gondrom.org> Date: Mon, 05 Mar 2012 18:14:12 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: websec@ietf.org X-Priority: 4 (Low) References: <68291699F5EA8848B0EAC2E78480571FDF9911@TK5EX14MBXC240.redmond.corp.microsoft.com> <4F3F623A.9060200@informaction.com> <68291699F5EA8848B0EAC2E78480571FE01C5E@TK5EX14MBXC240.redmond.corp.microsoft.com> In-Reply-To: <68291699F5EA8848B0EAC2E78480571FE01C5E@TK5EX14MBXC240.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] Frame-Options header and intermediate frames X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2012 18:14:17 -0000 Hello, ok, I edited the draft accordingly. http://www.ietf.org/id/draft-gondrom-frame-options-02.txt Best regards, Tobias Ps.: and as discussed at our previous meeting, also submitted a working draft 00-version for X-Frame-Options (which is only to document status quo, while Frame-Options shall be the way going forward as discussed in our websec meeting in Paris. link: http://www.ietf.org/id/draft-gondrom-x-frame-options-00.txt) Will update both further in the next few days. On 21/02/12 00:17, David Ross wrote: > AllAncestors sounds good to me. > > David Ross > dross@microsoft.com > > -----Original Message----- > From: Giorgio Maone [mailto:g.maone@informaction.com] > Sent: Saturday, February 18, 2012 12:33 AM > To: Adam Barth > Cc: David Ross; Eduardo' Vela; IETF WebSec WG; Michal Zalewski > Subject: Re: [websec] Frame-Options header and intermediate frames > > On 18/02/2012 09:06, Adam Barth wrote: >> On Fri, Feb 17, 2012 at 5:14 PM, David Ross wrote: > here's a good argument that sites attempting to avoid attacks such as phishing and clickjacking would not want to frame arbitrary content. > Users really only have an easy way to make immediate and valid trust decisions about the origin of the top level page, not frames contained within those pages. But sites that frame arbitrary content do exist in the real world, for better or worse. While there are different philosophical viewpoints on cross-domain framing, there doesn't seem to be any reason to avoid creating a ValidateAllAncestors flag on Frame-Options which would instruct the browser to validate the URL of each hosting frame up to the top level. Given this, sites that frame arbitrary content could at least make use of SAMEORIGIN and ALLOW-FROM for their intended purpose. >>> We'd like to get the intermediate frame issue documented and describe the optional ValidateAllAncestors flag in the RFC draft. >> That sounds like a reasonable way to extend the existing syntax. It's >> slightly ugly > Would just "AllAncestors" be clear enough? > -- G > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec From ynir@checkpoint.com Tue Mar 6 00:43:24 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715A621F8762 for ; Tue, 6 Mar 2012 00:43:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.46 X-Spam-Level: X-Spam-Status: No, score=-10.46 tagged_above=-999 required=5 tests=[AWL=0.138, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lHpBYSFFC7Zs for ; Tue, 6 Mar 2012 00:43:23 -0800 (PST) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id EEF2E21F87B0 for ; Tue, 6 Mar 2012 00:43:19 -0800 (PST) X-CheckPoint: {4F55C983-0-1B221DC2-1FFFF} Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q268hIC3005432 for ; Tue, 6 Mar 2012 10:43:18 +0200 Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Tue, 6 Mar 2012 10:43:17 +0200 Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Tue, 6 Mar 2012 10:43:17 +0200 From: Yoav Nir To: "websec@ietf.org WG" Date: Tue, 6 Mar 2012 10:43:19 +0200 Thread-Topic: I-D Action: draft-nir-websec-extended-origin-02.txt Thread-Index: Acz7dS0ITZx6TBa1REWoTA6fQg4JVg== Message-ID: References: <20120306075340.16237.26975.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: multipart/alternative; boundary="_000_F902E640864A46B8A3194F45C2FA8ACCcheckpointcom_" MIME-Version: 1.0 X-KSE-AntiSpam-Interceptor-Info: protection disabled Subject: [websec] Fwd: I-D Action: draft-nir-websec-extended-origin-02.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2012 08:43:24 -0000 --_000_F902E640864A46B8A3194F45C2FA8ACCcheckpointcom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi I've submitted version -02 of the draft. It includes changes based on comme= nts by James Manger, Adam Barth, and Tobias. I'm looking forward to discussing this on the mailing list and in Paris. Yoav Begin forwarded message: From: "internet-drafts@ietf.org" > Subject: I-D Action: draft-nir-websec-extended-origin-02.txt Date: March 6, 2012 9:53:40 AM GMT+02:00 To: "i-d-announce@ietf.org" > Reply-To: "internet-drafts@ietf.org" > A New Internet-Draft is available from the on-line Internet-Drafts director= ies. Title : A More Granular Web Origin Concept Author(s) : Yoav Nir Filename : draft-nir-websec-extended-origin-02.txt Pages : 9 Date : 2012-03-05 This document defines an HTTP header that allows the partitioning of a single origin (as defined in RFC 6454) into multiple origins, so that the same origin policy applies among them. The header introduced in this document allows a portal to specify that resources that appear to be from the same origin should, in fact, be treated as though they are from different origins, by extending the 3-tuple of the origin to a 4-tuple. A compliant user agent is expected to apply the same-origin policy according to the 4-tuple rather than the 3-tuple. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-nir-websec-extended-origin-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-nir-websec-extended-origin-02.txt _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Scanned by Check Point Total Security Gateway. --_000_F902E640864A46B8A3194F45C2FA8ACCcheckpointcom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi

I've= submitted version -02 of the draft. It includes changes based on comments = by James Manger, Adam Barth, and Tobias. 

I'm= looking forward to discussing this on the mailing list and in Paris.
=

Yoav


Begin forwarded messag= e:

<= div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin= -left: 0px;">From: "int= ernet-drafts@ietf.org" <= internet-drafts@ietf.org>
<= b>Subject: I-D Action: draft-nir-websec-extended-origin-02.txt
=
Date: March 6, 2012 9:53:40 AM GMT+02:00


A New Internet-Draft is available fro= m the on-line Internet-Drafts directories.

Title      = ;     : A More Granular Web Origin Concept
Author(s) &nbs= p;     : Yoav Nir
Filename      =   : draft-nir-websec-extended-origin-02.txt
Pages    &nbs= p;      : 9
Date       = ;     : 2012-03-05

  This docume= nt defines an HTTP header that allows the partitioning of
  a= single origin (as defined in RFC 6454) into multiple origins, so
 = ; that the same origin policy applies among them.

  = The header introduced in this document allows a portal to specify
 = ; that resources that appear to be from the same origin should, in
=   fact, be treated as though they are from different origins, by=
  extending the 3-tuple of the origin to a 4-tuple.  A = compliant user
  agent is expected to apply the same-origin p= olicy according to the
  4-tuple rather than the 3-tuple.
=

A URL for this Internet-Draft is:
http://www.ietf.o= rg/internet-drafts/draft-nir-websec-extended-origin-02.txt

Inter= net-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/in= ternet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp= .ietf.org/internet-drafts/draft-nir-websec-extended-origin-02.txt

__= _____________________________________________
I-D-Announce mailing list<= br>I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-annou= nce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ft= p://ftp.ietf.org/ietf/1shadow-sites.txt

Scanned by Check Point Total= Security Gateway.

= --_000_F902E640864A46B8A3194F45C2FA8ACCcheckpointcom_-- From trac+websec@trac.tools.ietf.org Thu Mar 8 15:05:04 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 668EF21F86BD for ; Thu, 8 Mar 2012 15:05:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZtVwou3hZ82 for ; Thu, 8 Mar 2012 15:05:03 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id AC07021F864E for ; Thu, 8 Mar 2012 15:05:00 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S5mNx-0004ez-AH; Thu, 08 Mar 2012 18:04:37 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Thu, 08 Mar 2012 23:04:37 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/36#comment:1 Message-ID: <085.1223d43f67e87d9f2d2b01fe1edd87dd@trac.tools.ietf.org> References: <070.8f650790271f76d19cdc48904c5eb755@trac.tools.ietf.org> X-Trac-Ticket-ID: 36 In-Reply-To: <070.8f650790271f76d19cdc48904c5eb755@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120308230503.AC07021F864E@ietfa.amsl.com> Resent-Date: Thu, 8 Mar 2012 15:05:00 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #36: HSTS: fixup references X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2012 23:05:04 -0000 #36: HSTS: fixup references Comment (by jeff.hodges@…): Alexey notes that I too-ruthlessly moved refs from Normative to Informative. See . -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: new Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From Jeff.Hodges@KingsMountain.com Thu Mar 8 15:41:13 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B54421E8042 for ; Thu, 8 Mar 2012 15:41:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.103 X-Spam-Level: X-Spam-Status: No, score=-100.103 tagged_above=-999 required=5 tests=[AWL=0.392, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvXNJdq4llEP for ; Thu, 8 Mar 2012 15:41:12 -0800 (PST) Received: from oproxy7-pub.bluehost.com (oproxy7.bluehost.com [IPv6:2605:dc00:100:2::a7]) by ietfa.amsl.com (Postfix) with SMTP id 8EF0621E802D for ; Thu, 8 Mar 2012 15:41:12 -0800 (PST) Received: (qmail 27983 invoked by uid 0); 8 Mar 2012 23:41:12 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy7.bluehost.com with SMTP; 8 Mar 2012 23:41:12 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=jOmmRGt7HAhCGapC/i52iiMg5GXEkpGW4jspHoF955Y=; b=zGElfjnHMz0DKfGmphfq35HmBeMOjvNM4/RrXl4MgUnhgI8ocG0OupZSVBVwEISsmbjYyCZfy6sxgQkhfoh0CuSODi686mR7jxqINWgtMho0GX6/wJ+aq0IImy6cgAiC; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.56]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1S5mxL-0006GT-J8; Thu, 08 Mar 2012 16:41:11 -0700 Message-ID: <4F594396.1040503@KingsMountain.com> Date: Thu, 08 Mar 2012 15:41:10 -0800 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19 MIME-Version: 1.0 To: Julian Reschke Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Cc: IETF WebSec WG Subject: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2012 23:41:13 -0000 Thanks for the review Julian, > The ABNF now is: > > Strict-Transport-Security = "Strict-Transport-Security" ":" > directive *( ";" [ directive ] ) > > > directive = token [ "=" ( token | quoted-string ) ] > > ...and I think this is almost right. > > It does allow empty directives (thus repeated or trailing semicolons), > but not leading semicolons. > > So > > STS: foo ; > > parses, but > > STS: ; foo > > does not. well, I guess a question is whether we want "STS: ; foo " to "parse" ? I'm not sure we do, but can be convinced otherwise. Part of the intention of the above ABNF is that the STS header must have at least one directive (i.e. max-age - given the constraints in the prose following the ABNF) I suppose what you're trying to say is that all of the below ought to "parse" successfully... STS: max-age=nnnnnn STS: max-age=nnnnnn STS: max-age=nnnnnn ; STS: max-age=nnnnnn ; ; ; STS: ; max-age=nnnnnn STS: ; ; ; max-age=nnnnnn STS: ; ; ; max-age=nnnnnn ; ; ; ? > This could be fixed by saying: > > Strict-Transport-Security = "Strict-Transport-Security" ":" > *( ";" [ directive ] ) > Yes, that's allow for the constructions above, along with (at most one instance of) includeSubDomains being interspersed between any of the semicolons. > I like the subsequent prose about the additional constraints. good :) > For 6.1.1 and 6.1.2, we still need to decide whether a) quoted-string > should be legal here (I understand that's > ) sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and includeSubDomains directives, and neither of those directives employ quoted-string, and I don't think they need to or should. I conceded to add quoted-string syntax to the generic directive syntax of.. directive = token [ "=" ( token | quoted-string ) ] ..in case someone at some time wishes to add an extension directive employing quoted-string syntax. Are you saying that sections 6.1.1 and 6.1.2 need to explicitly declare non-use of quoted-string ? Presently it's implied by the declared ABNF syntax for those two defined directives.. max-age = "max-age" "=" delta-seconds delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2> ..and.. includeSubDomains = "includeSubDomains" thanks again, =JeffH From julian.reschke@gmx.de Fri Mar 9 00:16:16 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D603421F860B for ; Fri, 9 Mar 2012 00:16:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.404 X-Spam-Level: X-Spam-Status: No, score=-104.404 tagged_above=-999 required=5 tests=[AWL=-1.805, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id URuaoojZg470 for ; Fri, 9 Mar 2012 00:16:16 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 83BCD21F85A1 for ; Fri, 9 Mar 2012 00:16:15 -0800 (PST) Received: (qmail invoked by alias); 09 Mar 2012 08:16:13 -0000 Received: from p3EE26BED.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.107.237] by mail.gmx.net (mp001) with SMTP; 09 Mar 2012 09:16:13 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX19XqSYSUNZXGe3TJqyFmX6ZOQF5jUCyCjKdDin6hB 2W9AKMAugbobEn Message-ID: <4F59BC49.3020308@gmx.de> Date: Fri, 09 Mar 2012 09:16:09 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: =JeffH References: <4F594396.1040503@KingsMountain.com> In-Reply-To: <4F594396.1040503@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: IETF WebSec WG Subject: Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 08:16:16 -0000 On 2012-03-09 00:41, =JeffH wrote: > Thanks for the review Julian, > > > The ABNF now is: > > > > Strict-Transport-Security = "Strict-Transport-Security" ":" > > directive *( ";" [ directive ] ) > > > > > > directive = token [ "=" ( token | quoted-string ) ] > > > > ...and I think this is almost right. > > > > It does allow empty directives (thus repeated or trailing semicolons), > > but not leading semicolons. > > > > So > > > > STS: foo ; > > > > parses, but > > > > STS: ; foo > > > > does not. > > well, I guess a question is whether we want "STS: ; foo " to "parse" ? > > I'm not sure we do, but can be convinced otherwise. > > Part of the intention of the above ABNF is that the STS header must have > at least one directive (i.e. max-age - given the constraints in the > prose following the ABNF) > > I suppose what you're trying to say is that all of the below ought to > "parse" successfully... > > STS: max-age=nnnnnn > > STS: max-age=nnnnnn > > STS: max-age=nnnnnn ; > > STS: max-age=nnnnnn ; ; ; > > STS: ; max-age=nnnnnn > > STS: ; ; ; max-age=nnnnnn > > STS: ; ; ; max-age=nnnnnn ; ; ; > > ? Well, either be permissive with respect to superfluous delimiters or don't; but allowing them in once place but not the other? > > This could be fixed by saying: > > > > Strict-Transport-Security = "Strict-Transport-Security" ":" > > *( ";" [ directive ] ) > > > > Yes, that's allow for the constructions above, along with (at most one > instance of) includeSubDomains being interspersed between any of the > semicolons. > > > > > I like the subsequent prose about the additional constraints. > > good :) > > > > > For 6.1.1 and 6.1.2, we still need to decide whether a) quoted-string > > should be legal here (I understand that's > > ) > > sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and > includeSubDomains directives, and neither of those directives employ > quoted-string, and I don't think they need to or should. I think they should, because it's likely that people will write parses that allow both, thus you'll have an automated (and totally unneeded) interoperatility problem. > I conceded to add quoted-string syntax to the generic directive syntax of.. > > directive = token [ "=" ( token | quoted-string ) ] > > ..in case someone at some time wishes to add an extension directive > employing quoted-string syntax. > > Are you saying that sections 6.1.1 and 6.1.2 need to explicitly declare > non-use of quoted-string ? Presently it's implied by the declared ABNF The opposite. > ... Best regards, Julian From Jeff.Hodges@KingsMountain.com Fri Mar 9 08:02:39 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DA321F8710 for ; Fri, 9 Mar 2012 08:02:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.118 X-Spam-Level: X-Spam-Status: No, score=-100.118 tagged_above=-999 required=5 tests=[AWL=0.377, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GbSFCCy5fHp for ; Fri, 9 Mar 2012 08:02:38 -0800 (PST) Received: from oproxy8-pub.bluehost.com (oproxy8.bluehost.com [IPv6:2605:dc00:100:2::a8]) by ietfa.amsl.com (Postfix) with SMTP id 5028A21F870F for ; Fri, 9 Mar 2012 08:02:38 -0800 (PST) Received: (qmail 865 invoked by uid 0); 9 Mar 2012 16:02:38 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy8.bluehost.com with SMTP; 9 Mar 2012 16:02:37 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=eFyqJ2fISRu/HRFAcJkqTxmbYEecKWkDwhH3fARFnqE=; b=CQuYct6VxRm99HgN2y3jKgd4sxrYSPk76XZrpKPGX485jKux7PzeRddnDWbN53pSyYGxvdF6RpeLXmTdwoeofkSxPTLn4BC4KnjAuA7kTnlur0jYOjU4db1Lpasbh7or; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.56]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1S62H6-0006c6-LJ; Fri, 09 Mar 2012 09:02:36 -0700 Message-ID: <4F5A299D.2040206@KingsMountain.com> Date: Fri, 09 Mar 2012 08:02:37 -0800 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19 MIME-Version: 1.0 To: Julian Reschke Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Cc: IETF WebSec WG Subject: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 16:02:39 -0000 > On 2012-03-09 00:41, =JeffH wrote: >> Thanks for the review Julian, >> >> > The ABNF now is: >> > >> > Strict-Transport-Security = "Strict-Transport-Security" ":" >> > directive *( ";" [ directive ] ) >> > >> > >> > directive = token [ "=" ( token | quoted-string ) ] >> > >> > ...and I think this is almost right. >> > >> > It does allow empty directives (thus repeated or trailing semicolons), >> > but not leading semicolons. >> > >> > So >> > >> > STS: foo ; >> > >> > parses, but >> > >> > STS: ; foo >> > >> > does not. >> >> well, I guess a question is whether we want "STS: ; foo " to "parse" ? >> >> I'm not sure we do, but can be convinced otherwise. > > Well, either be permissive with respect to superfluous delimiters or > don't; but allowing them in once place but not the other? yeah, seems fine, I'll make that change. the language describing the specifics of the presently defined directives addresses their cardinality and required/optional presence. >> > For 6.1.1 and 6.1.2, we still need to decide whether a) quoted-string >> > should be legal here (I understand that's >> > ) >> >> sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and >> includeSubDomains directives, and neither of those directives employ >> quoted-string, and I don't think they need to or should. > > I think they should, because it's likely that people will write parses > that allow both, thus you'll have an automated (and totally unneeded) > interoperatility problem. Well, i'm not terribly convinced about this, especially given my code reconnaissance in Firefox and Chrome. The spec clearly states what the syntax is for those directives and it doesn't encompass quoted-string variants of the values for max-age and delta-seconds. I think adding something like that will needlessly complicate the spec, so I respectfully decline to make such a change. best regards, =JeffH From trac+websec@trac.tools.ietf.org Fri Mar 9 08:12:07 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 818AD21F8692 for ; Fri, 9 Mar 2012 08:12:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D8A7LRUZ0Kl8 for ; Fri, 9 Mar 2012 08:12:07 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id E516021F869D for ; Fri, 9 Mar 2012 08:12:05 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S62Pp-0007uH-SJ; Fri, 09 Mar 2012 11:11:37 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, julian.reschke@gmx.de X-Trac-Project: websec Date: Fri, 09 Mar 2012 16:11:37 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/33#comment:3 Message-ID: <085.567a0b02f7ef14214dd56fdf35d75fe7@trac.tools.ietf.org> References: <070.dc46fc06c043a8103369b4b2f8b4d471@trac.tools.ietf.org> X-Trac-Ticket-ID: 33 In-Reply-To: <070.dc46fc06c043a8103369b4b2f8b4d471@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, julian.reschke@gmx.de, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120309161206.E516021F869D@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 08:12:05 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #33: HSTS: quoted-string grammar in (extension) directives ? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 16:12:07 -0000 #33: HSTS: quoted-string grammar in (extension) directives ? Comment (by jeff.hodges@…): Further nits wrt STS header ABNF are in the thread rooted here.. [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 https://www.ietf.org/mail-archive/web/websec/current/msg01020.html the crux being.. STS: foo ; parses, but STS: ; foo does not. This could be fixed by saying: Strict-Transport-Security = "Strict-Transport-Security" ":" *( ";" [ directive ] ) -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: new Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From internet-drafts@ietf.org Fri Mar 9 13:00:10 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9172221F863F; Fri, 9 Mar 2012 13:00:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.542 X-Spam-Level: X-Spam-Status: No, score=-102.542 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAstCK9-n1Zz; Fri, 9 Mar 2012 13:00:09 -0800 (PST) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB44321F863E; Fri, 9 Mar 2012 13:00:09 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.00 Message-ID: <20120309210009.10048.64868.idtracker@ietfa.amsl.com> Date: Fri, 09 Mar 2012 13:00:09 -0800 Cc: websec@ietf.org Subject: [websec] I-D Action: draft-ietf-websec-strict-transport-sec-05.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:00:10 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Web Security Working Group of the IET= F. Title : HTTP Strict Transport Security (HSTS) Author(s) : Jeff Hodges Collin Jackson Adam Barth Filename : draft-ietf-websec-strict-transport-sec-05.txt Pages : 43 Date : 2012-03-09 This specification defines a mechanism enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by Web sites via the Strict-Transport-Security HTTP response header field, and/or by other means, such as user agent configuration, for example. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-= 05.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-0= 5.txt From Jeff.Hodges@KingsMountain.com Fri Mar 9 13:11:53 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4940321E8049 for ; Fri, 9 Mar 2012 13:11:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.982 X-Spam-Level: X-Spam-Status: No, score=-98.982 tagged_above=-999 required=5 tests=[AWL=-0.787, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MANGLED_TOOL=2.3, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqBL7kxJ+xBq for ; Fri, 9 Mar 2012 13:11:52 -0800 (PST) Received: from oproxy4-pub.bluehost.com (oproxy4.bluehost.com [IPv6:2605:dc00:100:2::a4]) by ietfa.amsl.com (Postfix) with SMTP id 0D8E921E803F for ; Fri, 9 Mar 2012 13:11:51 -0800 (PST) Received: (qmail 30173 invoked by uid 0); 9 Mar 2012 21:11:51 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 9 Mar 2012 21:11:51 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=btfAxEZvvDsG5FUwQOWZSxKQ7aAqCboGK8QoHQcCmls=; b=p6ibI+SzckFdUMt/ED8/5JF6EdCCh8Ryz3Aq0eBAwdacDkbnFFW8EiQhivJXnheD0krbHeETo0oAqR8NODTUzc4Ldq2yXj6PN+nRCLMis+4OI7TThmd4Il1xObNDLFJL; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.56]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1S676M-0005ei-Ds for websec@ietf.org; Fri, 09 Mar 2012 14:11:50 -0700 Message-ID: <4F5A720D.8040106@KingsMountain.com> Date: Fri, 09 Mar 2012 13:11:41 -0800 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: [websec] new rev: draft-ietf-websec-strict-transport-sec-05 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:11:53 -0000 New rev: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt With this rev, all issue tickets are now nominally addressed. Full change log below, and full -04 announcement message at end. Changes from -04 to -05 address: 33, 36 Changes from -03 to -04 address: 13, 14, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36 Changes from -02 to -03 address: 14, 26, 27 Changes from -01 to -02 address: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 full issue ticket list for strict-transport-sec: Diff from previous version: http://tools.ietf.org/rfcdiff?url2=draft-ietf-websec-strict-transport-sec-05 =JeffH ============================================================== Appendix D. Change Log [RFCEditor: please remove this section upon publication as an RFC.] Changes are grouped by spec revision listed in reverse issuance order. D.1. For draft-ietf-websec-strict-transport-sec Changes from -04 to -05: 1. Fixed up references to move certain ones back to the normative section -- as requested by Alexey M. Added explanation for referencing obsoleted [RFC3490] and [RFC3492]. This addresses issue ticket #36. 2. Made minor change to Strict-Transport-Security header field ABNF in order to address further feedback as appended to ticket #33. This addresses issue ticket #33. Changes from -03 to -04: 1. Clarified that max-age=0 will cause UA to forget a known HSTS host, and more generally clarified that the "freshest" info from the HSTS host is cached, and thus HSTS hosts are able to alter the cached max-age in UAs. This addresses issue ticket #13. 2. Updated section on "Constructing an Effective Request URI" to remove remaining reference to RFC3986 and reference RFC2616 instead. Further addresses issue ticket #14. 3. Addresses further ABNF issues noted in comment:1 of issue ticket #27. 4. Reworked the introduction to clarify the denotation of "HSTS policy" and added the new Appendix B summarizing the primary characteristics of HSTS Policy and Same-Origin Policy, and identifying their differences. Added ref to [RFC4732]. This addresses issue ticket #28. 5. Reworked language in Section 2.3.1.3. wrt "mixed content", more clearly explain such vulnerability, disambiguate "mixed content" in web security context from its usage in markup language context. This addresses issue ticket #29. 6. Expanded Denial of Service discussion in Security Considerations. Added refs to [RFC4732] and [CWE-113]. This addresses issue ticket #30. 7. Mentioned in prose the case-insensitivity of directive names. This addresses issue ticket #31. 8. Added Section 10.3 "Implications of includeSubDomains". This addresses issue ticket #32. 9. Further refines text and ABNF definitions of STS header field directives. Retains use of quoted-string in directive grammar. This addresses issue ticket #33. 10. Added Section 14.7 "Creative Manipulation of HSTS Policy Store", including reference to [WebTracking]. This addresses issue ticket #34. 11. Added Section 14.1 "Ramifications of HSTS Policy Establishment only over Error-free Secure Transport" and made some accompanying editorial fixes in some other sections. This addresses issue ticket #35. Hodges, et al. Expires September 10, 2012 [Page 38] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 12. Refined references. Cleaned out un-used ones, updated to latest RFCs for others, consigned many to Informational. This addresses issue ticket #36. 13. Fixed-up some inaccuracies in the "Changes from -02 to -03" section. Changes from -02 to -03: 1. Updated section on "Constructing an Effective Request URI" to remove references to RFC3986. Addresses issue ticket #14. 2. Reference RFC5890 for IDNA, retaining subordinate refs to RFC3490. Updated IDNA-specific language, e.g. domain name canonicalization and IDNA dependencies. Addresses issue ticket #26 . 3. Completely re-wrote the STS header ABNF to be fully based on RFC2616, rather than a hybrid of RFC2616 and httpbis. Addresses issue ticket #27 . Changes from -01 to -02: 1. Updated Section 8.2 "URI Loading and Port Mapping" fairly thoroughly in terms of refining the presentation of the steps, and to ensure the various aspects of port mapping are clear. Nominally fixes issue ticket #1 2. Removed dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS ABNF in Section 6.1 "Strict-Transport-Security HTTP Response Header Field" by lifting some productions entirely from [I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging [RFC2616]. Addresses issue ticket #2 . 3. Updated Effective Request URI section and definition to use language from [I-D.draft-ietf-httpbis-p1-messaging-15] and ABNF from [RFC2616]. Fixes issue ticket #3 . 4. Added explicit mention that the HSTS policy applies to all TCP ports of a host advertising the HSTS policy. Nominally fixes issue ticket #4 5. Clarified the need for the "includeSubDomains" directive, e.g. to protect Secure-flagged domain cookies. In Section 14.2 "The Need for includeSubDomains". Nominally fixes issue ticket #5 6. Cited Firesheep as real-live threat in Section 2.3.1.1 "Passive Network Attackers". Nominally fixes issue ticket #6 . 7. Added text to Section 11 "User Agent Implementation Advice" justifying connection termination due to tls warnings/errors. Nominally fixes issue ticket #7 . 8. Added new subsection Section 8.5 "Interstitially Missing Strict-Transport-Security Response Header Field". Nominally fixes issue ticket #8 . 9. Added text to Section 8.3 "Errors in Secure Transport Establishment" explicitly note revocation check failures as errors causing connection termination. Added references to [RFC5280] and [RFC2560]. Nominally fixes issue ticket #9 . 10. Added a sentence, noting that distributing specific end- entity certificates to browsers will also work for self- signed/private-CA cases, to Section 10 "Server Implementation and Deployment Advice" Nominally fixes issue ticket #10 . 11. Moved "with no user recourse" language from Section 8.3 "Errors in Secure Transport Establishment" to Section 11 "User Agent Implementation Advice". This nominally fixes issue ticket #11 . 12. Removed any and all dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending on [RFC2616] only. Fixes issue ticket #12 . 13. Removed the inline "XXX1" issue because no one had commented on it and it seems reasonable to suggest as a SHOULD that web apps should redirect incoming insecure connections to secure connections. 14. Removed the inline "XXX2" issue because it was simply for raising consciousness about having some means for distributing secure web application metadata. 15. Removed "TODO1" because description prose for "max-age" in the Note following the ABNF in Section 6 seems to be fine. 16. Decided for "TODO2" that "the first STS header field wins". TODO2 had read: "Decide UA behavior in face of encountering multiple HSTS headers in a message. Use first header? Last?". Removed TODO2. 17. Added Section 1.1 "Organization of this specification" for readers' convenience. 18. Moved design decision notes to be a proper appendix Appendix A. Changes from -00 to -01: 1. Changed the "URI Loading" section to be "URI Loading and Port Mapping". 2. [HASMAT] reference changed to [WEBSEC]. 3. Changed "server" -> "host" where applicable, notably when discussing "HSTS Hosts". Left as "server" when discussing e.g. "http server"s. 4. Fixed minor editorial nits. Changes from draft-hodges-strict-transport-sec-02 to draft-ietf-websec-strict-transport-sec-00: 1. Altered spec metadata (e.g. filename, date) in order to submit as a WebSec working group Internet-Draft. D.2. For draft-hodges-strict-transport-sec Changes from -01 to -02: 1. updated abstract such that means for expressing HSTS Policy other than via HSTS header field is noted. 2. Changed spec title to "HTTP Strict Transport Security (HSTS)" from "Strict Transport Security". Updated use of "STS" acronym throughout spec to HSTS (except for when specifically discussing syntax of Strict-Transport-Security HTTP Response Header field), updated "Terminology" appropriately. 3. Updated the discussion of "Passive Network Attackers" to be more precise and offered references. 4. Removed para on nomative/non-normative from "Conformance Criteria" pending polishing said section to IETF RFC norms. 5. Added examples subsection to "Syntax" section. 6. Added OWS to maxAge production in Strict-Transport-Security ABNF. 7. Cleaned up explanation in the "Note:" in the "HTTP-over- Secure-Transport Request Type" section, folded 3d para into "Note:", added conformance clauses to the latter. 8. Added exaplanatory "Note:" and reference to "HTTP Request Type" section. Added "XXX1" issue. 9. Added conformance clause to "URI Loading". 10. Moved "Notes for STS Server implementors:" from "UA Implementation dvice " to "HSTS Policy expiration time considerations:" in "Server Implementation Advice", and also noted another option. 11. Added cautionary "Note:" to "Ability to delete UA's cached HSTS Policy on a per HSTS Server basis". 12. Added some informative references. 13. Various minor editorial fixes. Changes from -00 to -01: 1. Added reference to HASMAT mailing list and request that this spec be discussed there. ============================================================== Subject: [websec] I-D Action: draft-ietf-websec-strict-transport-sec-05.txt From: internet-drafts@ietf.org Date: Fri, 09 Mar 2012 13:00:09 -0800 To: i-d-announce@ietf.org Cc: websec@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. Title : HTTP Strict Transport Security (HSTS) Author(s) : Jeff Hodges Collin Jackson Adam Barth Filename : draft-ietf-websec-strict-transport-sec-05.txt Pages : 43 Date : 2012-03-09 This specification defines a mechanism enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by Web sites via the Strict-Transport-Security HTTP response header field, and/or by other means, such as user agent configuration, for example. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt ============================================================== end From trac+websec@trac.tools.ietf.org Fri Mar 9 13:13:45 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B827021F8552 for ; Fri, 9 Mar 2012 13:13:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-liIFTpWD37 for ; Fri, 9 Mar 2012 13:13:45 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 459E521F8545 for ; Fri, 9 Mar 2012 13:13:44 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S678A-0004Bl-Lx; Fri, 09 Mar 2012 16:13:42 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:13:41 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/1#comment:1 Message-ID: <085.d3df1c7a5f8e011c6c313a6a991e1be2@trac.tools.ietf.org> References: <070.f8fc0b2bd09928d1a738c38b65bbdcc1@trac.tools.ietf.org> X-Trac-Ticket-ID: 1 In-Reply-To: <070.f8fc0b2bd09928d1a738c38b65bbdcc1@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #1: port mapping should be explicit about case where URI does not contain explicit port X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:13:45 -0000 #1: port mapping should be explicit about case where URI does not contain explicit port Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: minor | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:14:57 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C22D21E8025 for ; Fri, 9 Mar 2012 13:14:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvCJmExEeoAE for ; Fri, 9 Mar 2012 13:14:56 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id AE69721F8545 for ; Fri, 9 Mar 2012 13:14:56 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S679L-0004Wc-VV; Fri, 09 Mar 2012 16:14:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:14:55 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/2#comment:1 Message-ID: <085.0dadb47331923861ff48fc6324b52e41@trac.tools.ietf.org> References: <070.635a7e567ddf1f9f8a84288abf1b42d3@trac.tools.ietf.org> X-Trac-Ticket-ID: 2 In-Reply-To: <070.635a7e567ddf1f9f8a84288abf1b42d3@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #2: Effective Request URI definition dependency on HTTPbis spec ? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:14:57 -0000 #2: Effective Request URI definition dependency on HTTPbis spec ? Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: task | Status: closed Priority: minor | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:15:29 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2254621F85C9 for ; Fri, 9 Mar 2012 13:15:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5CDYlKA-l8mD for ; Fri, 9 Mar 2012 13:15:28 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id AD16D21F8552 for ; Fri, 9 Mar 2012 13:15:28 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S679r-00051Q-W4; Fri, 09 Mar 2012 16:15:28 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:15:27 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/3#comment:1 Message-ID: <085.f94a934223b0bf4b4188e77da0529ec4@trac.tools.ietf.org> References: <070.63a0bf52be517dce3a5d316b05756c40@trac.tools.ietf.org> X-Trac-Ticket-ID: 3 In-Reply-To: <070.63a0bf52be517dce3a5d316b05756c40@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #3: Better Effective Request URI definition X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:15:29 -0000 #3: Better Effective Request URI definition Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: minor | Milestone: Component: strict-transport-sec | Version: Severity: - | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:16:03 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF2121E8019 for ; Fri, 9 Mar 2012 13:16:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyXNsbYYg0tr for ; Fri, 9 Mar 2012 13:15:59 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id AF3E721F8545 for ; Fri, 9 Mar 2012 13:15:59 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67AN-0005PC-1Y; Fri, 09 Mar 2012 16:15:59 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:15:59 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/4#comment:3 Message-ID: <085.2bf3c9bc79565dff99f0309be8ef87c2@trac.tools.ietf.org> References: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org> X-Trac-Ticket-ID: 4 In-Reply-To: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #4: Clarify that HSTS policy applies to entire host (all ports) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:16:03 -0000 #4: Clarify that HSTS policy applies to entire host (all ports) Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:16:31 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B768821E8044 for ; Fri, 9 Mar 2012 13:16:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8CE6AGgS-6VC for ; Fri, 9 Mar 2012 13:16:31 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 3870C21E8040 for ; Fri, 9 Mar 2012 13:16:31 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67As-0005ae-9W; Fri, 09 Mar 2012 16:16:30 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:16:30 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/5#comment:2 Message-ID: <085.424852a8bb1bc56a972d674ae33b06ac@trac.tools.ietf.org> References: <070.a9f98ae172e5a2b1327b06b3743756c3@trac.tools.ietf.org> X-Trac-Ticket-ID: 5 In-Reply-To: <070.a9f98ae172e5a2b1327b06b3743756c3@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #5: Clarify need for IncludeSubDomains X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:16:31 -0000 #5: Clarify need for IncludeSubDomains Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: - | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:17:05 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A75D21F85D7 for ; Fri, 9 Mar 2012 13:17:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SkC1vccHKRNG for ; Fri, 9 Mar 2012 13:17:04 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id AD18121F85C9 for ; Fri, 9 Mar 2012 13:17:04 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67BQ-0006H7-0z; Fri, 09 Mar 2012 16:17:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:17:04 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/6#comment:1 Message-ID: <085.0e2b0e8f1ec6b99bcc14dd5a0343a554@trac.tools.ietf.org> References: <070.49c4e104dbd9e8852151d18762481bb1@trac.tools.ietf.org> X-Trac-Ticket-ID: 6 In-Reply-To: <070.49c4e104dbd9e8852151d18762481bb1@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #6: cite FireSheep as real-life threat HSTS addresses X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:17:05 -0000 #6: cite FireSheep as real-life threat HSTS addresses Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: - | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:17:34 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0AB421E8019 for ; Fri, 9 Mar 2012 13:17:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xeTIyKWZO06C for ; Fri, 9 Mar 2012 13:17:34 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 566D421E8025 for ; Fri, 9 Mar 2012 13:17:34 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67Bt-00074v-Kb; Fri, 09 Mar 2012 16:17:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:17:33 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/7#comment:2 Message-ID: <085.1c2adc5e1cd545b67038d6ec0c1c84c9@trac.tools.ietf.org> References: <070.70d4f97ece5def5d52ae93f9d858bdc2@trac.tools.ietf.org> X-Trac-Ticket-ID: 7 In-Reply-To: <070.70d4f97ece5def5d52ae93f9d858bdc2@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #7: clarify and add examples/justification wrt connection termination due to tls warnings/errors X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:17:34 -0000 #7: clarify and add examples/justification wrt connection termination due to tls warnings/errors Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:18:56 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC38721F84A1 for ; Fri, 9 Mar 2012 13:18:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fno6KRO0-Ua9 for ; Fri, 9 Mar 2012 13:18:56 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 2394D21F8483 for ; Fri, 9 Mar 2012 13:18:56 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67DD-0001MQ-Fj; Fri, 09 Mar 2012 16:18:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:18:55 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/8#comment:1 Message-ID: <085.19928a5f124981b7c8caf44bc794164e@trac.tools.ietf.org> References: <070.9ee40aea6eccfa2ee82e172d4a18d11f@trac.tools.ietf.org> X-Trac-Ticket-ID: 8 In-Reply-To: <070.9ee40aea6eccfa2ee82e172d4a18d11f@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #8: clarify/explain behavior when STS header not returned by known HSTS Host X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:18:56 -0000 #8: clarify/explain behavior when STS header not returned by known HSTS Host Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:22:40 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3ABE21E8089 for ; Fri, 9 Mar 2012 13:22:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M+w-qIDhRqyC for ; Fri, 9 Mar 2012 13:22:39 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 7882A21E808C for ; Fri, 9 Mar 2012 13:22:39 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67Go-000809-RI; Fri, 09 Mar 2012 16:22:38 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:22:38 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/9#comment:1 Message-ID: <085.6d78e8cca2a3f18f13cc2b3924c94d45@trac.tools.ietf.org> References: <070.44d3a8d3efb1d14822e889e8f61bab63@trac.tools.ietf.org> X-Trac-Ticket-ID: 9 In-Reply-To: <070.44d3a8d3efb1d14822e889e8f61bab63@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #9: explicitly note revocation check failures as errors causing connection termination? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:22:40 -0000 #9: explicitly note revocation check failures as errors causing connection termination? Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From Jeff.Hodges@KingsMountain.com Fri Mar 9 13:37:19 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35CCF21E805F for ; Fri, 9 Mar 2012 13:37:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.804 X-Spam-Level: X-Spam-Status: No, score=-98.804 tagged_above=-999 required=5 tests=[AWL=-0.909, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNaeJd-klzHU for ; Fri, 9 Mar 2012 13:37:18 -0800 (PST) Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by ietfa.amsl.com (Postfix) with SMTP id 9340B21E8032 for ; Fri, 9 Mar 2012 13:37:18 -0800 (PST) Received: (qmail 6357 invoked by uid 0); 9 Mar 2012 21:37:18 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com with SMTP; 9 Mar 2012 21:37:17 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=9D2xiSbPFZKGgSzXTw9L/y4lKydT47et/A+qyf6arvA=; b=UrkhLWJjAXc/Er3dTUzcCr30syTYlpj4ZbotchHXqfQ36aHoah+ArVm+MLGwZblfRZ2hSzKuL+YFY/eZwKf6LoHRJupXnrnKaf3pA1y51dvkWdrC+87OSebz9CZKwWYa; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.56]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1S67Uz-0003UI-Og for websec@ietf.org; Fri, 09 Mar 2012 14:37:17 -0700 Message-ID: <4F5A780E.6000208@KingsMountain.com> Date: Fri, 09 Mar 2012 13:37:18 -0800 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: [websec] WG Last Call for -strict-transport-sec-05 ? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:37:19 -0000 As far as I know, draft-ietf-websec-strict-transport-sec-05 is ready for WG Last Call. =JeffH From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:24 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D27D21E8098 for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7NvR0q0g1QbU for ; Fri, 9 Mar 2012 13:47:23 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id B9A4021E805E for ; Fri, 9 Mar 2012 13:47:17 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67JP-0006FD-Aj; Fri, 09 Mar 2012 16:25:19 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:25:19 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/26#comment:1 Message-ID: <085.fe9c0e6b54cc3c071b6da99c1810cda9@trac.tools.ietf.org> References: <070.45b3e36f2fc91121b4d5c6938f180a3e@trac.tools.ietf.org> X-Trac-Ticket-ID: 26 In-Reply-To: <070.45b3e36f2fc91121b4d5c6938f180a3e@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214718.B9A4021E805E@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:17 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #26: reference IDNA2008 as well as IDNA2003 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:24 -0000 #26: reference IDNA2008 as well as IDNA2003 Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:24 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87EB021E8099 for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvFm6SP32kVq for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 11BB321E8041 for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67MX-0000Vn-F3; Fri, 09 Mar 2012 16:28:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:28:33 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/36#comment:2 Message-ID: <085.039d4625a6c7d83552ab1a319853f03c@trac.tools.ietf.org> References: <070.8f650790271f76d19cdc48904c5eb755@trac.tools.ietf.org> X-Trac-Ticket-ID: 36 In-Reply-To: <070.8f650790271f76d19cdc48904c5eb755@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214724.11BB321E8041@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:24 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #36: HSTS: fixup references X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:24 -0000 #36: HSTS: fixup references Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:24 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC6BB21E8098 for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TNZnYrbaOKgx for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 4C77E21E805E for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67MH-0007Dk-7k; Fri, 09 Mar 2012 16:28:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:28:17 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/35#comment:1 Message-ID: <085.48f94d26128c3f94498a0563a56ae72a@trac.tools.ietf.org> References: <070.f70ee4d09481ba2840593de66b0fd5f4@trac.tools.ietf.org> X-Trac-Ticket-ID: 35 In-Reply-To: <070.f70ee4d09481ba2840593de66b0fd5f4@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214724.4C77E21E805E@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:24 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #35: HSTS spec could be more clear about UA behavior behind proxies X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:24 -0000 #35: HSTS spec could be more clear about UA behavior behind proxies Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:25 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0046521E8098 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NtbafMQN5pcy for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 83A4221E8088 for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67M4-0006K9-Lh; Fri, 09 Mar 2012 16:28:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:28:04 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/34#comment:1 Message-ID: <085.c5af82cdad85607fb0c420a8ef4111b6@trac.tools.ietf.org> References: <070.daef625ac2bff2b5e11ec0521f0bc368@trac.tools.ietf.org> X-Trac-Ticket-ID: 34 In-Reply-To: <070.daef625ac2bff2b5e11ec0521f0bc368@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214724.83A4221E8088@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:24 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #34: HSTS cache manipulation and misuse by server enabled by wildcard cert X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:25 -0000 #34: HSTS cache manipulation and misuse by server enabled by wildcard cert Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:25 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 296A721E8098 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cP-8IpFBwSgq for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id B22E621E8041 for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67Lq-0005OM-HC; Fri, 09 Mar 2012 16:27:50 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, julian.reschke@gmx.de X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:27:50 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/33#comment:4 Message-ID: <085.2f22490708e10efe5d7ef16755430895@trac.tools.ietf.org> References: <070.dc46fc06c043a8103369b4b2f8b4d471@trac.tools.ietf.org> X-Trac-Ticket-ID: 33 In-Reply-To: <070.dc46fc06c043a8103369b4b2f8b4d471@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, julian.reschke@gmx.de, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214724.B22E621E8041@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:24 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #33: HSTS: quoted-string grammar in (extension) directives ? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:25 -0000 #33: HSTS: quoted-string grammar in (extension) directives ? Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:25 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B12421E8098 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxRZSGtJ3bK7 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id EB63E21E805E for ; Fri, 9 Mar 2012 13:47:24 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67Lb-0004AK-3d; Fri, 09 Mar 2012 16:27:35 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:27:35 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/32#comment:1 Message-ID: <085.2da7e987162d4f2cb95f58237c6076d9@trac.tools.ietf.org> References: <070.b5e0cfa5b3a6fe7add2652f951e3143f@trac.tools.ietf.org> X-Trac-Ticket-ID: 32 In-Reply-To: <070.b5e0cfa5b3a6fe7add2652f951e3143f@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214724.EB63E21E805E@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:24 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #32: HSTS: explain some practical implications of includeSubDomains directive X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:25 -0000 #32: HSTS: explain some practical implications of includeSubDomains directive Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:25 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B32B21E8099 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SL9boW-XTGG4 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 2471921E8088 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67LL-0003PZ-F0; Fri, 09 Mar 2012 16:27:19 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:27:19 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/31#comment:1 Message-ID: <085.8e2a9d23c797ee384f1a93737da1d961@trac.tools.ietf.org> References: <070.68b3117d50f361935101f81dd18f1c89@trac.tools.ietf.org> X-Trac-Ticket-ID: 31 In-Reply-To: <070.68b3117d50f361935101f81dd18f1c89@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214725.2471921E8088@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:25 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #31: HSTS: mention case insesitivity in prose for "max-age" and "includeSubDomains" X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:25 -0000 #31: HSTS: mention case insesitivity in prose for "max-age" and "includeSubDomains" Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:25 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB07521E8098 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fkGflMTF7BCX for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 56FAF21E8041 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67L5-0002zX-O6; Fri, 09 Mar 2012 16:27:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:27:03 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/30#comment:1 Message-ID: <085.25d0d659c2193fca7039a3a9077b195d@trac.tools.ietf.org> References: <070.9bcc15f64797e545d79084876df10189@trac.tools.ietf.org> X-Trac-Ticket-ID: 30 In-Reply-To: <070.9bcc15f64797e545d79084876df10189@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214725.56FAF21E8041@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:25 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #30: HSTS: add an informational reference to RFC 4732: Denial-of-Service Considerations X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:26 -0000 #30: HSTS: add an informational reference to RFC 4732: Denial-of-Service Considerations Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:26 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C46A21E809F for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEMucjiAADbD for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 8F81321E805E for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67KW-0001Q1-Et; Fri, 09 Mar 2012 16:26:28 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:26:28 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/29#comment:1 Message-ID: <085.446f2aa131a79ca224a8117cead799d5@trac.tools.ietf.org> References: <070.1a3da0b8fa7ba44ba84d532e60c04267@trac.tools.ietf.org> X-Trac-Ticket-ID: 29 In-Reply-To: <070.1a3da0b8fa7ba44ba84d532e60c04267@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214725.8F81321E805E@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:25 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #29: HSTS: dismbiguate "mixed content" term & provide reference X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:26 -0000 #29: HSTS: dismbiguate "mixed content" term & provide reference Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:26 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6188C21E809F for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LE9QoM7EpUNH for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id BD8DA21E8088 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67KD-0000FU-Pl; Fri, 09 Mar 2012 16:26:09 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:26:09 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/28#comment:1 Message-ID: <085.bf4f539c51cfe61a7d15dad91d9c44f1@trac.tools.ietf.org> References: <070.3a39431f6b25ef97957a720cb34b8bc4@trac.tools.ietf.org> X-Trac-Ticket-ID: 28 In-Reply-To: <070.3a39431f6b25ef97957a720cb34b8bc4@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214725.BD8DA21E8088@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:25 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #28: HSTS spec unclear about the denotation of "HSTS policy" X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:26 -0000 #28: HSTS spec unclear about the denotation of "HSTS policy" Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:26 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E00921E80A3 for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3CITgsE7ecku for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id F061B21E8099 for ; Fri, 9 Mar 2012 13:47:25 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67Jn-0007iz-VL; Fri, 09 Mar 2012 16:25:43 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:25:43 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/27#comment:3 Message-ID: <085.107cde04732a5fed95e160390e5de244@trac.tools.ietf.org> References: <070.4240e75d9bcd1a27acd9fe924417061f@trac.tools.ietf.org> X-Trac-Ticket-ID: 27 In-Reply-To: <070.4240e75d9bcd1a27acd9fe924417061f@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214725.F061B21E8099@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:25 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #27: HSTS header ABNF is a hybrid of RFC2616 and httpbis and is overly complex and broken X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:26 -0000 #27: HSTS header ABNF is a hybrid of RFC2616 and httpbis and is overly complex and broken Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:26 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9EFF21E80A4 for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81xeXiIUZc+m for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE3D21E8098 for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67J9-0005Kg-E0; Fri, 09 Mar 2012 16:25:03 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:25:03 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/14#comment:1 Message-ID: <085.70fa3cbbe571bfe2c15264759df1b415@trac.tools.ietf.org> References: <070.b5593d5ae1f599f191177a5e921f48e4@trac.tools.ietf.org> X-Trac-Ticket-ID: 14 In-Reply-To: <070.b5593d5ae1f599f191177a5e921f48e4@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214726.2FE3D21E8098@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:26 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #14: Effective Request URI definition issues X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:26 -0000 #14: Effective Request URI definition issues Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: 2.0 transport-sec | Resolution: fixed Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:26 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E060821E80A5 for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bNi9vitksG0 for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 69C7621E80A1 for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67It-0004Ti-4x; Fri, 09 Mar 2012 16:24:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:24:47 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/13#comment:1 Message-ID: <085.73ba505104263892c203980a4c602b32@trac.tools.ietf.org> References: <070.2166a9e8ac88377c23745138c902f2a0@trac.tools.ietf.org> X-Trac-Ticket-ID: 13 In-Reply-To: <070.2166a9e8ac88377c23745138c902f2a0@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214726.69C7621E80A1@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:26 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #13: clarify that max-age=0 will cause UA to forget a known HSTS host X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:27 -0000 #13: clarify that max-age=0 will cause UA to forget a known HSTS host Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:27 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5EE021E809F for ; Fri, 9 Mar 2012 13:47:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wcj6Wp0cGKxz for ; Fri, 9 Mar 2012 13:47:27 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id D3CE221E80A3 for ; Fri, 9 Mar 2012 13:47:26 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67IV-0003KW-7R; Fri, 09 Mar 2012 16:24:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:24:23 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/12#comment:2 Message-ID: <085.7054de372822fd8ce011f258ef7952af@trac.tools.ietf.org> References: <070.539ef13c72e2cb4abcd86533f0e2d81c@trac.tools.ietf.org> X-Trac-Ticket-ID: 12 In-Reply-To: <070.539ef13c72e2cb4abcd86533f0e2d81c@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214726.D3CE221E80A3@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:26 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #12: Remove dependencies on HTTPbis and depend on RFC2616 only X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:28 -0000 #12: Remove dependencies on HTTPbis and depend on RFC2616 only Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: enhancement | Status: closed Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:29 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F6AE21E80C3 for ; Fri, 9 Mar 2012 13:47:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hg8XGDd-Aspt for ; Fri, 9 Mar 2012 13:47:27 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 1531C21E80A9 for ; Fri, 9 Mar 2012 13:47:27 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67IA-0002ap-6i; Fri, 09 Mar 2012 16:24:02 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:24:02 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/11#comment:1 Message-ID: <085.88cf67ae35054b775dda2acf280e7b3b@trac.tools.ietf.org> References: <070.af0bfffe62bd5e0a6e782fea2e8d2597@trac.tools.ietf.org> X-Trac-Ticket-ID: 11 In-Reply-To: <070.af0bfffe62bd5e0a6e782fea2e8d2597@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-To: Resent-Message-Id: <20120309214727.1531C21E80A9@ietfa.amsl.com> Resent-Date: Fri, 9 Mar 2012 13:47:27 -0800 (PST) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #11: failing insecure connections and user recourse X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:29 -0000 #11: failing insecure connections and user recourse Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Mar 9 13:47:29 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7932C21E80A9 for ; Fri, 9 Mar 2012 13:47:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lf9pgiV8OKWf for ; Fri, 9 Mar 2012 13:47:27 -0800 (PST) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 4CCC621E80AA for ; Fri, 9 Mar 2012 13:47:27 -0800 (PST) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S67Hh-0001MQ-GN; Fri, 09 Mar 2012 16:23:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 09 Mar 2012 21:23:33 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/10#comment:1 Message-ID: <085.5b37e0179ef8cd5ebf3ff956a60e71f3@trac.tools.ietf.org> References: <070.e5eb4060c3ca435f535b76c7060ada83@trac.tools.ietf.org> X-Trac-Ticket-ID: 10 In-Reply-To: <070.e5eb4060c3ca435f535b76c7060ada83@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #10: note that end-entity certs can be dristrib'd to http clients ? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 21:47:29 -0000 #10: note that end-entity certs can be dristrib'd to http clients ? Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- ----------------------------------+--------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: closed Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Resolution: fixed Keywords: | ----------------------------------+--------------------- Ticket URL: websec From julian.reschke@gmx.de Fri Mar 9 17:02:30 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 453CB21E8053 for ; Fri, 9 Mar 2012 17:02:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fSAe1HM1KVeK for ; Fri, 9 Mar 2012 17:02:29 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id C5FAF21E8062 for ; Fri, 9 Mar 2012 17:02:28 -0800 (PST) Received: (qmail invoked by alias); 10 Mar 2012 01:02:27 -0000 Received: from p57A6D847.dip.t-dialin.net (EHLO [192.168.178.36]) [87.166.216.71] by mail.gmx.net (mp036) with SMTP; 10 Mar 2012 02:02:27 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1+tWmVunryt7jGPpJ+R5t9QIX9pDvsTYxdKCm90rC tbqbbevxtdW2aZ Message-ID: <4F5AA821.5040608@gmx.de> Date: Sat, 10 Mar 2012 02:02:25 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: =JeffH References: <4F5A299D.2040206@KingsMountain.com> In-Reply-To: <4F5A299D.2040206@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: IETF WebSec WG Subject: Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2012 01:02:30 -0000 On 2012-03-09 17:02, =JeffH wrote: > ... > Well, i'm not terribly convinced about this, especially given my code > reconnaissance in Firefox and Chrome. The spec clearly states what the When you checked Firefox, did it support quoted-string for extension directives? See? Speaking of which: do you have a test suite, or at least a big repertoire of examples? > syntax is for those directives and it doesn't encompass quoted-string > variants of the values for max-age and delta-seconds. I think adding > something like that will needlessly complicate the spec, so I > respectfully decline to make such a change. > ... I believe both the spec and implementations will be simpler if the syntax of a parameter does not depend on the parameter name. Best regards, Julian From tobias.gondrom@gondrom.org Sat Mar 10 17:07:37 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0348F21F854D for ; Sat, 10 Mar 2012 17:07:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.778 X-Spam-Level: X-Spam-Status: No, score=-96.778 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4qxwEy06Ld9 for ; Sat, 10 Mar 2012 17:07:36 -0800 (PST) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id DEC8821F8545 for ; Sat, 10 Mar 2012 17:07:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=LQGxCgW6VdL5WILzo1CdDXkEPs0nUS6wD/ZZBLqZ/ceV9226pmoy+41BKnVfNJhQBih667Z5ul5dKI5xQLALv6Ut9AwZKd4CIMIX9nWtDZWt2xvKpVon+CXpN/VAtyKP; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 5507 invoked from network); 11 Mar 2012 02:07:30 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 11 Mar 2012 02:07:30 +0100 Message-ID: <4F5BFAD1.6080804@gondrom.org> Date: Sun, 11 Mar 2012 01:07:29 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: websec@ietf.org References: <4F5A780E.6000208@KingsMountain.com> In-Reply-To: <4F5A780E.6000208@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 01:07:37 -0000 Hi Jeff, thank you very much for posting the update. I like the new version and think we are getting close. A few comments that would not interfere with WGLC. Mostly editorial (spelling stuff), but also two technical comments at the end of this email. The first technical is easy, the second technical comment may be more an issue and may need adding one paragraph to specify behaviour in the described case. (If it's not already there and I just missed it.) editorial: - Section 1: -- in the next version please remove the line " [ Please discuss this draft on the WebSec@ietf.org mailing list [WEBSEC]. ]" -- in first paragraph, is the link to informative reference [I-D.ietf-tls-ssl-version3] the best we can get, as it is a long expired I-D? - Section 2.4.1.1 -- s/3.UAs need to persistently remember web sites that signal strict security policy enablement, for a web site declared time span./3.UAs need to persistently remember web sites that signal strict security policy enablement, for a by the web site declared time span. - Section 3: -- s/Note: ..is a note to the reader. These are points that should be expressly kept in mind and/or considered./Note: This is a note to the reader. These are points that should be expressly kept in mind and/or considered. - Section 5: -- [with this one I am not 100% sure] s/An HSTS Host conveys its HSTS Policy to UAs, only over secure transport (e.g., TLS), via the Strict-Transport-Security HTTP response header field./An HSTS Host conveys its HSTS Policy to UAs only over secure transport (e.g., TLS) via the Strict-Transport-Security HTTP response header field. - Section 6: -- s/This section defines the syntax of the new header this specification introduces. It also provides a short description of the function the header./This section defines the syntax of the new header as introduced by this specification. It also provides a short description of the function of the header. -- s/The Section 7 "Server Processing Model" section details/The Section 7 "Server Processing Model" details --s/Likewise, the Section 8 "User Agent Processing Model" section details/Likewise, the Section 8 "User Agent Processing Model" details - Section 6.1, last paragraph: -- s/Additional directives extending the the semantic functionality of the/Additional directives extending the semantic functionality of the - Section 61.1. -- s/see also Section 8.1.1 "Noting a HSTS Host", below/see also Section 8.1.1 "Noting a HSTS Host" below - Section 8.1.2, point 1 -- s/and ignoring separator characters (see clause 3.1(4) of [RFC3986]./and ignoring separator characters (see clause 3.1(4) of [RFC3986]). -- what do you mean by clause 3.1(4) of RFC3986? - Section 8.3 -- s/(e.g., certificate errors)/(e.g. certificate errors) - Section 8.5: -- s/until the max-age value for the knowledge that Known HSTS Host is reached./until the max-age value for the knowledge of that Known HSTS Host is reached. -- s/Note that the max age could be infinite for a given Known HSTS Host./Note that the max-age value could be infinite for a given Known HSTS Host. - Section 12.2 title: -- s/Determining the Effective Requrest URI/Determining the Effective Request URI - Section 12.2.1 title: -- s/Effective Requrest URI Examples/Effective Request URI Examples - Appendix B, last paragraph: -- s/In summary, although both HSTS Policy and SOP are enforced by by UAs,/In summary, although both HSTS Policy and SOP are enforced by UAs, And two technical COMMENTS: - Section 5, paragraph 2: "Receipt of this header field signals to UAs to enforce the HSTS Policy for all subsequent secure transport connections made to the HSTS Host, for a specified time duration." Actually the UA must enforce this for all subsequent transport connections be them secure or non-secure (i.e. if they are non-secure the scheme MUST be changed to secure (http->https)). - it seems we have missed to specify one scenario: The case is the following: A UA notes a superdomain e.g. example.com as a Known HSTS Host, with "includeSubDomains". Then after that the UA also receives a HSTS header from subdomain foo.example.com (with or without "includeSubDomains") and new max-age (longer or shorter time). The point is in that case the HSTS timer of the superdomain (example.com) MUST NOT be changed (extended or shortened) to the timer used in the subdomain. In fact the UA MUST keep both timers in cache independently and if at some point either one of them is removed (be due to expiry or because of an update setting max-age=0), the second remaining HSTS value MUST still be kept intact and applied. This is mainly to prevent that a subdomain can invalidate the HSTS flag of the superdomain or make it expire and vice versa. Best regards, Tobias On 09/03/12 21:37, =JeffH wrote: > As far as I know, draft-ietf-websec-strict-transport-sec-05 is ready > for WG Last Call. > > =JeffH > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec From trac+websec@trac.tools.ietf.org Sun Mar 11 09:47:40 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD90221F87BC for ; Sun, 11 Mar 2012 09:47:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epuEYYYnSE6f for ; Sun, 11 Mar 2012 09:47:40 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id EAF7721F8754 for ; Sun, 11 Mar 2012 09:47:37 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S6lvQ-0003jd-MW; Sun, 11 Mar 2012 12:47:16 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, tobias.gondrom@gondrom.org X-Trac-Project: websec Date: Sun, 11 Mar 2012 16:47:15 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/37 Message-ID: <067.4afd58f6d675d5bdb2f19d83a8c1d99a@trac.tools.ietf.org> X-Trac-Ticket-ID: 37 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, tobias.gondrom@gondrom.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120311164737.EAF7721F8754@ietfa.amsl.com> Resent-Date: Sun, 11 Mar 2012 09:47:37 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: [websec] #37: Clarify that superdomain HSTS flag does not update max-age of subdomain's HSTS max-age and vice versa X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 16:47:40 -0000 #37: Clarify that superdomain HSTS flag does not update max-age of subdomain's HSTS max-age and vice versa The case is the following: A UA notes a superdomain e.g. example.com as a Known HSTS Host, with "includeSubDomains". Then after that the UA also receives a HSTS header from subdomain foo.example.com (with or without "includeSubDomains") and new max-age (longer or shorter time). The point is in that case the HSTS timer of the superdomain (example.com) MUST NOT be changed (extended or shortened) to the timer used in the subdomain. In fact the UA MUST keep both timers in cache independently and if at some point either one of them is removed (be due to expiry or because of an update setting max-age=0), the second remaining HSTS value MUST still be kept intact and applied. This is mainly to prevent that a subdomain can invalidate the HSTS flag of the superdomain or make it expire and vice versa. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict-transport- tobias.gondrom@… | sec@… Type: enhancement | Status: new Priority: major | Milestone: Component: strict- | Version: transport-sec | Keywords: Severity: - | -------------------------+------------------------------------------------- Ticket URL: websec From tobias.gondrom@gondrom.org Sun Mar 11 09:48:28 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A0B521F87BC for ; Sun, 11 Mar 2012 09:48:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.628 X-Spam-Level: X-Spam-Status: No, score=-95.628 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, MANGLED_TOOL=2.3, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IId7W+6-9i3 for ; Sun, 11 Mar 2012 09:48:27 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 99F9321F8754 for ; Sun, 11 Mar 2012 09:48:26 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=M6lk+qucGY0p0sSxax4WXnwvxIbt9rLZh2ZmqVfT7NM6TeLcTkC5H+P8Hy2O0moPAS5zCdi8PTBZhKz5nPKFjF+6+Tc/boMTMYaL1bH24VDei9Milef0rg2bdZRydkZP; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 22054 invoked from network); 11 Mar 2012 17:48:07 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 11 Mar 2012 17:48:07 +0100 Message-ID: <4F5CD747.2090600@gondrom.org> Date: Sun, 11 Mar 2012 16:48:07 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: websec@ietf.org References: <4F5A720D.8040106@KingsMountain.com> In-Reply-To: <4F5A720D.8040106@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-05 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 16:48:28 -0000 Hi Jeff, thanks. Went through the list of all tickets 1-36 and can confirm that IMHO all have been addressed sufficiently. Best regards, Tobias On 09/03/12 21:11, =JeffH wrote: > New rev: > http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt > > > With this rev, all issue tickets are now nominally addressed. Full > change log > below, and full -04 announcement message at end. > > Changes from -04 to -05 address: 33, 36 > > Changes from -03 to -04 address: 13, 14, 27, 28, 29, 30, 31, 32, 33, 34, > 35, 36 > > Changes from -02 to -03 address: 14, 26, 27 > > Changes from -01 to -02 address: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 > > > full issue ticket list for strict-transport-sec: > > > > Diff from previous version: > http://tools.ietf.org/rfcdiff?url2=draft-ietf-websec-strict-transport-sec-05 > > > =JeffH > > > ============================================================== > > Appendix D. Change Log > > [RFCEditor: please remove this section upon publication as an RFC.] > > Changes are grouped by spec revision listed in reverse issuance > order. > > D.1. For draft-ietf-websec-strict-transport-sec > > Changes from -04 to -05: > > 1. Fixed up references to move certain ones back to the normative > section -- as requested by Alexey M. Added explanation for > referencing obsoleted [RFC3490] and [RFC3492]. This addresses > issue ticket #36. > > > 2. Made minor change to Strict-Transport-Security header field > ABNF in order to address further feedback as appended to > ticket #33. This addresses issue ticket #33. > > > Changes from -03 to -04: > > 1. Clarified that max-age=0 will cause UA to forget a known HSTS > host, and more generally clarified that the "freshest" info > from the HSTS host is cached, and thus HSTS hosts are able to > alter the cached max-age in UAs. This addresses issue ticket > #13. > > 2. Updated section on "Constructing an Effective Request URI" to > remove remaining reference to RFC3986 and reference RFC2616 > instead. Further addresses issue ticket #14. > > > 3. Addresses further ABNF issues noted in comment:1 of issue > ticket #27. ticket/27#comment:1> > > 4. Reworked the introduction to clarify the denotation of "HSTS > policy" and added the new Appendix B summarizing the primary > characteristics of HSTS Policy and Same-Origin Policy, and > identifying their differences. Added ref to [RFC4732]. This > addresses issue ticket #28. > > > 5. Reworked language in Section 2.3.1.3. wrt "mixed content", > more clearly explain such vulnerability, disambiguate "mixed > content" in web security context from its usage in markup > language context. This addresses issue ticket #29. > > > 6. Expanded Denial of Service discussion in Security > Considerations. Added refs to [RFC4732] and [CWE-113]. This > addresses issue ticket #30. > > > 7. Mentioned in prose the case-insensitivity of directive names. > This addresses issue ticket #31. > > > 8. Added Section 10.3 "Implications of includeSubDomains". This > addresses issue ticket #32. > > > 9. Further refines text and ABNF definitions of STS header field > directives. Retains use of quoted-string in directive > grammar. This addresses issue ticket #33. > > > 10. Added Section 14.7 "Creative Manipulation of HSTS Policy > Store", including reference to [WebTracking]. This addresses > issue ticket #34. > > > 11. Added Section 14.1 "Ramifications of HSTS Policy > Establishment only over Error-free Secure Transport" and made > some accompanying editorial fixes in some other sections. > This addresses issue ticket #35. > > > > > Hodges, et al. Expires September 10, 2012 [Page 38] > > Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 > > > 12. Refined references. Cleaned out un-used ones, updated to > latest RFCs for others, consigned many to Informational. > This addresses issue ticket #36. > > > 13. Fixed-up some inaccuracies in the "Changes from -02 to -03" > section. > > Changes from -02 to -03: > > 1. Updated section on "Constructing an Effective Request URI" to > remove references to RFC3986. Addresses issue ticket #14. > > > 2. Reference RFC5890 for IDNA, retaining subordinate refs to > RFC3490. Updated IDNA-specific language, e.g. domain name > canonicalization and IDNA dependencies. Addresses issue > ticket #26 > . > > 3. Completely re-wrote the STS header ABNF to be fully based on > RFC2616, rather than a hybrid of RFC2616 and httpbis. > Addresses issue ticket #27 > . > > Changes from -01 to -02: > > 1. Updated Section 8.2 "URI Loading and Port Mapping" fairly > thoroughly in terms of refining the presentation of the > steps, and to ensure the various aspects of port mapping are > clear. Nominally fixes issue ticket #1 > > > 2. Removed dependencies on > [I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS > ABNF in Section 6.1 "Strict-Transport-Security HTTP Response > Header Field" by lifting some productions entirely from > [I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging > [RFC2616]. Addresses issue ticket #2 > . > > 3. Updated Effective Request URI section and definition to use > language from [I-D.draft-ietf-httpbis-p1-messaging-15] and > ABNF from [RFC2616]. Fixes issue ticket #3 > . > > 4. Added explicit mention that the HSTS policy applies to all > TCP ports of a host advertising the HSTS policy. Nominally > fixes issue ticket #4 > > > 5. Clarified the need for the "includeSubDomains" directive, > e.g. to protect Secure-flagged domain cookies. In > Section 14.2 "The Need for includeSubDomains". Nominally > fixes issue ticket #5 > > > 6. Cited Firesheep as real-live threat in Section 2.3.1.1 > "Passive Network Attackers". Nominally fixes issue ticket #6 > . > > 7. Added text to Section 11 "User Agent Implementation Advice" > justifying connection termination due to tls warnings/errors. > Nominally fixes issue ticket #7 > . > > 8. Added new subsection Section 8.5 "Interstitially Missing > Strict-Transport-Security Response Header Field". Nominally > fixes issue ticket #8 > . > > 9. Added text to Section 8.3 "Errors in Secure Transport > Establishment" explicitly note revocation check failures as > errors causing connection termination. Added references to > [RFC5280] and [RFC2560]. Nominally fixes issue ticket #9 > . > > 10. Added a sentence, noting that distributing specific end- > entity certificates to browsers will also work for self- > signed/private-CA cases, to Section 10 "Server Implementation > and Deployment Advice" Nominally fixes issue ticket #10 > . > > 11. Moved "with no user recourse" language from Section 8.3 > "Errors in Secure Transport Establishment" to Section 11 > "User Agent Implementation Advice". This nominally fixes > issue ticket #11 > . > > 12. Removed any and all dependencies on > [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending > on [RFC2616] only. Fixes issue ticket #12 > . > > 13. Removed the inline "XXX1" issue because no one had commented > on it and it seems reasonable to suggest as a SHOULD that web > apps should redirect incoming insecure connections to secure > connections. > > 14. Removed the inline "XXX2" issue because it was simply for > raising consciousness about having some means for > distributing secure web application metadata. > > 15. Removed "TODO1" because description prose for "max-age" in > the Note following the ABNF in Section 6 seems to be fine. > > 16. Decided for "TODO2" that "the first STS header field wins". > TODO2 had read: "Decide UA behavior in face of encountering > multiple HSTS headers in a message. Use first header? > Last?". Removed TODO2. > > 17. Added Section 1.1 "Organization of this specification" for > readers' convenience. > > 18. Moved design decision notes to be a proper appendix > Appendix A. > > Changes from -00 to -01: > > 1. Changed the "URI Loading" section to be "URI Loading and Port > Mapping". > > 2. [HASMAT] reference changed to [WEBSEC]. > > 3. Changed "server" -> "host" where applicable, notably when > discussing "HSTS Hosts". Left as "server" when discussing > e.g. "http server"s. > > 4. Fixed minor editorial nits. > > Changes from draft-hodges-strict-transport-sec-02 to > draft-ietf-websec-strict-transport-sec-00: > > 1. Altered spec metadata (e.g. filename, date) in order to submit > as a WebSec working group Internet-Draft. > > D.2. For draft-hodges-strict-transport-sec > > Changes from -01 to -02: > > 1. updated abstract such that means for expressing HSTS Policy > other than via HSTS header field is noted. > > > 2. Changed spec title to "HTTP Strict Transport Security (HSTS)" > from "Strict Transport Security". Updated use of "STS" > acronym throughout spec to HSTS (except for when specifically > discussing syntax of Strict-Transport-Security HTTP Response > Header field), updated "Terminology" appropriately. > > 3. Updated the discussion of "Passive Network Attackers" to be > more precise and offered references. > > 4. Removed para on nomative/non-normative from "Conformance > Criteria" pending polishing said section to IETF RFC norms. > > 5. Added examples subsection to "Syntax" section. > > 6. Added OWS to maxAge production in Strict-Transport-Security > ABNF. > > 7. Cleaned up explanation in the "Note:" in the "HTTP-over- > Secure-Transport Request Type" section, folded 3d para into > "Note:", added conformance clauses to the latter. > > 8. Added exaplanatory "Note:" and reference to "HTTP Request > Type" section. Added "XXX1" issue. > > 9. Added conformance clause to "URI Loading". > > 10. Moved "Notes for STS Server implementors:" from "UA > Implementation dvice " to "HSTS Policy expiration time > considerations:" in "Server Implementation Advice", and also > noted another option. > > 11. Added cautionary "Note:" to "Ability to delete UA's cached > HSTS Policy on a per HSTS Server basis". > > 12. Added some informative references. > > 13. Various minor editorial fixes. > > Changes from -00 to -01: > > 1. Added reference to HASMAT mailing list and request that this > spec be discussed there. > > ============================================================== > > Subject: [websec] I-D Action: > draft-ietf-websec-strict-transport-sec-05.txt > From: internet-drafts@ietf.org > Date: Fri, 09 Mar 2012 13:00:09 -0800 > To: i-d-announce@ietf.org > Cc: websec@ietf.org > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This draft is a work item of the Web Security Working > Group of the IETF. > > Title : HTTP Strict Transport Security (HSTS) > Author(s) : Jeff Hodges > Collin Jackson > Adam Barth > Filename : draft-ietf-websec-strict-transport-sec-05.txt > Pages : 43 > Date : 2012-03-09 > > This specification defines a mechanism enabling Web sites to declare > themselves accessible only via secure connections, and/or for users > to be able to direct their user agent(s) to interact with given sites > only over secure connections. This overall policy is referred to as > HTTP Strict Transport Security (HSTS). The policy is declared by Web > sites via the Strict-Transport-Security HTTP response header field, > and/or by other means, such as user agent configuration, for example. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > This Internet-Draft can be retrieved at: > ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-05.txt > > > > ============================================================== > end > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec From Jeff.Hodges@KingsMountain.com Mon Mar 12 16:30:45 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 998C621E81E7 for ; Mon, 12 Mar 2012 16:30:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.101 X-Spam-Level: X-Spam-Status: No, score=-100.101 tagged_above=-999 required=5 tests=[AWL=0.394, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGQAJJBq8efA for ; Mon, 12 Mar 2012 16:30:44 -0700 (PDT) Received: from oproxy6-pub.bluehost.com (oproxy6.bluehost.com [IPv6:2605:dc00:100:2::a6]) by ietfa.amsl.com (Postfix) with SMTP id 4830E21E81F5 for ; Mon, 12 Mar 2012 16:30:44 -0700 (PDT) Received: (qmail 12319 invoked by uid 0); 12 Mar 2012 23:30:43 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 12 Mar 2012 23:30:43 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=J+YM7TPuNOGu9eR7yJ5KHNQQWgR/9sU8G/uIVXfHFsc=; b=4svaUFBsQHzeHqi0yJcVPjHiNiDcP9BRh4GScBJ03f88huVKrzGKk7XYHxgH1xGS583aD/wcU2Znwmy4O0ocYjJHXYzBXe5HiUQZcK6H9rafhltv7BxZ6HGJy/ynut+S; Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.11]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1S7EhO-0003aB-Qk; Mon, 12 Mar 2012 17:30:42 -0600 Message-ID: <4F5E8721.8040601@KingsMountain.com> Date: Mon, 12 Mar 2012 16:30:41 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19 MIME-Version: 1.0 To: Tobias Gondrom Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com} Cc: IETF WebSec WG Subject: Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2012 23:30:45 -0000 Thanks for your review Tobias. when I say "done" or "fixed" below, I mean in a forthcoming -06 revision. > A few comments that would not interfere with WGLC. Mostly editorial > (spelling stuff), but also two technical comments at the end of this > email. The first technical is easy, the second technical comment may be > more an issue and may need adding one paragraph to specify behaviour in > the described case. (If it's not already there and I just missed it.) > > editorial: > - Section 1: > -- in the next version please remove the line " [ Please discuss this > draft on the WebSec@ietf.org mailing list [WEBSEC]. ]" sure, will do -- tho I figured that the RFC-Editor would remove this as a matter of course. > -- in first paragraph, is the link to informative reference > [I-D.ietf-tls-ssl-version3] the best we can get, as it is a long expired > I-D? Yes, for SSLv3, that's the canonical reference -- it never progressed further. I've added an annotation to the reference. > - Section 2.4.1.1 > -- s/3.UAs need to persistently remember web sites that signal strict > security policy enablement, for a web site declared time span./3.UAs > need to persistently remember web sites that signal strict security > policy enablement, for a by the web site declared time span. hm, your suggested substitution doesn't parse well. Perhaps you meant something like this.. UAs need to persistently remember web sites that signal strict security policy enablement, for time spans declared by the web sites. ..? > > - Section 3: > -- s/Note: ..is a note to the reader. These are points that should be > expressly kept in mind and/or considered./Note: This is a note to the > reader. These are points that should be expressly kept in mind and/or > considered. done. > - Section 5: > -- [with this one I am not 100% sure] > s/An HSTS Host conveys its HSTS Policy to UAs, only over secure > transport (e.g., TLS), via the Strict-Transport-Security HTTP response > header field./An HSTS Host conveys its HSTS Policy to UAs only over > secure transport (e.g., TLS) via the Strict-Transport-Security HTTP > response header field. yes, that sentence is tortured. I've done this.. An HSTS Host conveys its HSTS Policy to UAs via the Strict-Transport-Security HTTP response header field over secure transport (e.g., TLS). > - Section 6: > -- s/This section defines the syntax of the new header this > specification introduces. It also provides a short description of the > function the header./This section defines the syntax of the new header > as introduced by this specification. It also provides a short > description of the function of the header. > > -- s/The Section 7 "Server Processing Model" section details/The Section > 7 "Server Processing Model" details > --s/Likewise, the Section 8 "User Agent Processing Model" section > details/Likewise, the Section 8 "User Agent Processing Model" details Yes, those paragraphs could use some improvement. I've changed them to.. This section defines the syntax of the Strict-Transport-Security HTTP response header field and its directives, and presents some examples. Section 7 "Server Processing Model" then details how hosts employ this header field to declare their HSTS Policy, and Section 8 "User Agent Processing Model" details how user agents process the header field and apply the HSTS Policy. > - Section 6.1, last paragraph: > -- s/Additional directives extending the the semantic functionality of > the/Additional directives extending the semantic functionality of the done. > - Section 61.1. > -- s/see also Section 8.1.1 "Noting a HSTS Host", below/see also Section > 8.1.1 "Noting a HSTS Host" below ", above." and ", below." (i.e., including the commas) are commonly used stylistic constructions. They are also used without the commas. I prefer them with. e.g. observe their use here.. https://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style > - Section 8.1.2, point 1 > -- s/and ignoring separator characters (see clause 3.1(4) of > [RFC3986]./and ignoring separator characters (see clause 3.1(4) of > [RFC3986]). done. > -- what do you mean by clause 3.1(4) of RFC3986? oops, good catch. that was supposed to be "clause 3.1(4) of RFC3490", but that's now inappropriate due to its obsolescence by RFC5890 et al. I've fixed that sentence to be these two sentences.. For each Known HSTS Host's domain name, the comparison is done with the query domain name label-by- label using an ASCII case-insensitive comparison beginning with the rightmost label, continuing right-to-left, and ignoring separator characters. See also section 2.3.2.4. of [RFC5890]. > > - Section 8.3 > -- s/(e.g., certificate errors)/(e.g. certificate errors) this is a matter of style. see also Chicago Manual of Style, section 5.54, as well as Wikipedia:Manual_of_Style. > > - Section 8.5: > -- s/until the max-age value for the knowledge that Known HSTS Host is > reached./until the max-age value for the knowledge of that Known HSTS > Host is reached. done. > -- s/Note that the max age could be infinite for a given Known HSTS > Host./Note that the max-age value could be infinite for a given Known > HSTS Host. done. > > - Section 12.2 title: > -- s/Determining the Effective Requrest URI/Determining the Effective > Request URI done. > > - Section 12.2.1 title: > -- s/Effective Requrest URI Examples/Effective Request URI Examples done. (I wonder how my prior spell-check run missed these? sigh.) > > - Appendix B, last paragraph: > -- s/In summary, although both HSTS Policy and SOP are enforced by by > UAs,/In summary, although both HSTS Policy and SOP are enforced by UAs, done. > And two technical COMMENTS: > - Section 5, paragraph 2: > "Receipt of this header field signals to UAs to enforce the HSTS Policy > for all subsequent secure transport connections made to the HSTS Host, > for a specified time duration." > Actually the UA must enforce this for all subsequent transport > connections be them secure or non-secure (i.e. if they are non-secure > the scheme MUST be changed to secure (http->https)). good catch, thanks. fixed. > - it seems we have missed to specify one scenario: > > The case is the following: A UA notes a superdomain e.g. example.com as > a Known HSTS Host, with "includeSubDomains". Then after that the UA also > receives a HSTS header from subdomain foo.example.com (with or without > "includeSubDomains") and new max-age (longer or shorter time). > The point is in that case the HSTS timer of the superdomain > (example.com) MUST NOT be changed (extended or shortened) to the timer > used in the subdomain. > > In fact the UA MUST keep both timers in cache independently and if at > some point either one of them is removed (be due to expiry or because of > an update setting max-age=0), the second remaining HSTS value MUST still > be kept intact and applied. This is mainly to prevent that a subdomain > can invalidate the HSTS flag of the superdomain or make it expire and > vice versa. yes, upon review, i think the language here in 8.1.2 "Known HSTS Host Domain Name Matching" (as well as in "Noting a HSTS Host") could stand some polishing/re-working. Tho I'll reply on it in more detail in the "37: Clarify that superdomain HSTS flag does not update max-age of subdomain's HSTS max-age and vice versa" thread in the next day or so. Unfortunately, the I-D deadline for IETF-83 is upon usin the next 45min, and I need to get -06 submitted. Addressing this item will have to be in an -07 (I don't want to rush it here in next 30 min and mess it up further). thanks again for the detailed review, =JeffH From trac+websec@trac.tools.ietf.org Mon Mar 12 16:41:25 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588BC21E823F for ; Mon, 12 Mar 2012 16:41:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGbZMyzPztbi for ; Mon, 12 Mar 2012 16:41:24 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id BD87A21E823D for ; Mon, 12 Mar 2012 16:41:24 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1S7ErN-0005cQ-LZ; Mon, 12 Mar 2012 19:41:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Mon, 12 Mar 2012 23:41:00 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/38 Message-ID: <070.74b1282a899aeaed61981d3bd1eb69ce@trac.tools.ietf.org> X-Trac-Ticket-ID: 38 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120312234124.BD87A21E823D@ietfa.amsl.com> Resent-Date: Mon, 12 Mar 2012 16:41:24 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: [websec] #38: HSTS : Editorial Comments X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2012 23:41:25 -0000 #38: HSTS : Editorial Comments Tobias wrote up various editorial comments on rev -05 here.. https://www.ietf.org/mail-archive/web/websec/current/msg01076.html Note: the technical comment at the very end is represented separately by ticket #37. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict-transport- jeff.hodges@… | sec@… Type: defect | Status: new Priority: minor | Milestone: Component: strict- | Version: transport-sec | Keywords: Severity: Active WG | Document | -------------------------+------------------------------------------------- Ticket URL: websec From internet-drafts@ietf.org Mon Mar 12 16:49:38 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AF321E826E; Mon, 12 Mar 2012 16:49:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.585 X-Spam-Level: X-Spam-Status: No, score=-102.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmhGpRQZCyd6; Mon, 12 Mar 2012 16:49:37 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A40821F8B6D; Mon, 12 Mar 2012 16:49:37 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.00 Message-ID: <20120312234937.31171.45138.idtracker@ietfa.amsl.com> Date: Mon, 12 Mar 2012 16:49:37 -0700 Cc: websec@ietf.org Subject: [websec] I-D Action: draft-ietf-websec-strict-transport-sec-06.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2012 23:49:38 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Web Security Working Group of the IET= F. Title : HTTP Strict Transport Security (HSTS) Author(s) : Jeff Hodges Collin Jackson Adam Barth Filename : draft-ietf-websec-strict-transport-sec-06.txt Pages : 43 Date : 2012-03-12 This specification defines a mechanism enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by Web sites via the Strict-Transport-Security HTTP response header field, and/or by other means, such as user agent configuration, for example. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-= 06.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-0= 6.txt From Jeff.Hodges@KingsMountain.com Mon Mar 12 17:27:00 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1350721E8026 for ; Mon, 12 Mar 2012 17:27:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.92 X-Spam-Level: X-Spam-Status: No, score=-98.92 tagged_above=-999 required=5 tests=[AWL=-0.839, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WudoCvK8LO8a for ; Mon, 12 Mar 2012 17:26:59 -0700 (PDT) Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by ietfa.amsl.com (Postfix) with SMTP id 70C5321E8011 for ; Mon, 12 Mar 2012 17:26:59 -0700 (PDT) Received: (qmail 32675 invoked by uid 0); 13 Mar 2012 00:26:59 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com with SMTP; 13 Mar 2012 00:26:59 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=GZKBP1VrWHwzfikT/LkSpENeCAoV7u1hzTdSb0dw4/U=; b=lk8xCd+lbJTNHvrKjYBaqGzFM5ytNuK7xiofFA+c59C7OUb2M/uHKQNjvMflkR37btzMjlrZ1lTfEdp3VxG1xie4DC62jodMuQ96jcECooa3clQVTZzhn3r5uNR3iaJ/; Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.11]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1S7FZq-0007wz-82 for websec@ietf.org; Mon, 12 Mar 2012 18:26:58 -0600 Message-ID: <4F5E9451.4090807@KingsMountain.com> Date: Mon, 12 Mar 2012 17:26:57 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com} Subject: Re: [websec] WG Last Call for -strict-transport-sec-05 - COMMENTS X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2012 00:27:00 -0000 I'd incorrectly said: > >> -- in first paragraph, is the link to informative reference >> [I-D.ietf-tls-ssl-version3] the best we can get, as it is a long expired >> I-D? > > Yes, for SSLv3, that's the canonical reference -- it never progressed further. > I've added an annotation to the reference. thx to Yngve for reminding me about.. The Secure Sockets Layer (SSL) Protocol Version 3.0 ..which was (finally) published in August 2011. I'll fix this faux pas in -07. =JeffH From James.H.Manger@team.telstra.com Tue Mar 13 15:55:12 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A83CF21F85DA for ; Tue, 13 Mar 2012 15:55:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.059 X-Spam-Level: X-Spam-Status: No, score=-2.059 tagged_above=-999 required=5 tests=[AWL=-1.158, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgw6O0G3S7Qp for ; Tue, 13 Mar 2012 15:55:09 -0700 (PDT) Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id 9C5DC21F85D9 for ; Tue, 13 Mar 2012 15:55:07 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.73,579,1325422800"; d="scan'208";a="65751927" Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipobvi.tcif.telstra.com.au with ESMTP; 14 Mar 2012 09:55:06 +1100 X-IronPort-AV: E=McAfee;i="5400,1158,6648"; a="54150249" Received: from wsmsg3754.srv.dir.telstra.com ([172.49.40.198]) by ipcbvi.tcif.telstra.com.au with ESMTP; 14 Mar 2012 09:55:06 +1100 Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3754.srv.dir.telstra.com ([172.49.40.198]) with mapi; Wed, 14 Mar 2012 09:55:05 +1100 From: "Manger, James H" To: "websec@ietf.org" Date: Wed, 14 Mar 2012 09:55:04 +1100 Thread-Topic: [websec] HSTS ABNF still broken: requires leading semi-colon Thread-Index: Acz+D2PCnRCLfvNdTP+m7RPJk2IqWADWkbOA Message-ID: <255B9BB34FB7D647A506DC292726F6E114EE35407A@WSMSG3153V.srv.dir.telstra.com> References: <070.dc46fc06c043a8103369b4b2f8b4d471@trac.tools.ietf.org> <085.567a0b02f7ef14214dd56fdf35d75fe7@trac.tools.ietf.org> In-Reply-To: <085.567a0b02f7ef14214dd56fdf35d75fe7@trac.tools.ietf.org> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Subject: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2012 22:55:12 -0000 VGhlIEFCTkYgZm9yIHRoZSBTdHJpY3QtVHJhbnNwb3J0LVNlY3VyaXR5IGhlYWRlciBsb29rcyB3 cm9uZy4gSXQgbm93ICpyZXF1aXJlcyogYSBsZWFkaW5nICI7IiBiZWZvcmUgdGhlIGZpcnN0IGRp cmVjdGl2ZS4gTm9uZSBvZiB0aGUgMyBleGFtcGxlcyBpbiB0aGUgZG9jIDxkcmFmdC1pZXRmLXdl YnNlYy1zdHJpY3QtdHJhbnNwb3J0LXNlYy0wNj4gaGF2ZSBhIGxlYWRpbmcgIjsiLg0KDQpBbGxv d2luZyBleHRyYW5lb3VzIHNlbWktY29sb25zIHNlZW1zIGZhaXJseSBwb2ludGxlc3MgdG8gbWUs IGJ1dCBpZiB3ZSBuZWVkIHRoZW0gSSBzdWdnZXN0IHRoZSBmb2xsb3dpbmcgQUJORi4NCg0KICBT dHJpY3QtVHJhbnNwb3J0LVNlY3VyaXR5ID0gIlN0cmljdC1UcmFuc3BvcnQtU2VjdXJpdHkiICI6 Ig0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZGlyZWN0aXZlICooICI7IiBkaXJl Y3RpdmUgKQ0KDQogIGRpcmVjdGl2ZSAgICAgICAgICAgICAgICAgPSBbIHRva2VuIFsgIj0iICgg dG9rZW4gfCBxdW90ZWQtc3RyaW5nICkgXSBdDQoNCjxTdHJpY3QtVHJhbnNwb3J0LVNlY3VyaXR5 PiBtYWtlcyBpdCBvYnZpb3VzIHRoYXQgdGhlIGhlYWRlciBmaWVsZCB2YWx1ZSBpcyAxIG9yIG1v cmUgZGlyZWN0aXZlcywgc2VwYXJhdGVkIGJ5IHNlbWktY29sb25zLg0KVGhlIHdob2xlIDxkaXJl Y3RpdmU+IGlzIG9wdGlvbmFsIChpZSBhbiBlbXB0eSBzdHJpbmcgbWF0Y2hlcyA8ZGlyZWN0aXZl Pikgc28gbGVhZGluZywgdHJhaWxpbmcsIG9yIGNvbnNlY3V0aXZlIHNlbWktY29sb25zIGluIGFu IFNUUyBoZWFkZXIgYXJlIG9rIOKAlCB0aGV5IHNlcGFyYXRlIGVtcHR5IGRpcmVjdGl2ZXMgdGhh dCBjYW4gYmUgaWdub3JlZC4NCg0KLS0NCkphbWVzIE1hbmdlcg0KDQoNCi0tLS0tLS0tLS0NCkZy b206IHdlYnNlYy1ib3VuY2VzQGlldGYub3JnIFttYWlsdG86d2Vic2VjLWJvdW5jZXNAaWV0Zi5v cmddIE9uIEJlaGFsZiBPZiB3ZWJzZWMgaXNzdWUgdHJhY2tlcg0KU2VudDogU2F0dXJkYXksIDEw IE1hcmNoIDIwMTIgMzoxMiBBTQ0KVG86IGRyYWZ0LWlldGYtd2Vic2VjLXN0cmljdC10cmFuc3Bv cnQtc2VjQHRvb2xzLmlldGYub3JnOyBqZWZmLmhvZGdlc0BraW5nc21vdW50YWluLmNvbTsganVs aWFuLnJlc2Noa2VAZ214LmRlDQpDYzogd2Vic2VjQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW3dl YnNlY10gIzMzOiBIU1RTOiBxdW90ZWQtc3RyaW5nIGdyYW1tYXIgaW4gKGV4dGVuc2lvbikgZGly ZWN0aXZlcyA/DQoNCiMzMzogSFNUUzogcXVvdGVkLXN0cmluZyBncmFtbWFyIGluIChleHRlbnNp b24pIGRpcmVjdGl2ZXMgPw0KDQoNCkNvbW1lbnQgKGJ5IGplZmYuaG9kZ2VzQOKApik6DQoNCiBG dXJ0aGVyIG5pdHMgd3J0IFNUUyBoZWFkZXIgQUJORiBhcmUgaW4gdGhlIHRocmVhZCByb290ZWQg aGVyZS4uDQoNCiBbd2Vic2VjXSBTVFMgQUJORiwgd2FzOiBuZXcgcmV2OiBkcmFmdC1pZXRmLXdl YnNlYy1zdHJpY3QtdHJhbnNwb3J0LXNlYy0wNA0KIGh0dHBzOi8vd3d3LmlldGYub3JnL21haWwt YXJjaGl2ZS93ZWIvd2Vic2VjL2N1cnJlbnQvbXNnMDEwMjAuaHRtbA0KDQogdGhlIGNydXggYmVp bmcuLg0KDQogICAgU1RTOiBmb28gOw0KDQogcGFyc2VzLCBidXQNCg0KICAgIFNUUzogOyBmb28N Cg0KIGRvZXMgbm90LiBUaGlzIGNvdWxkIGJlIGZpeGVkIGJ5IHNheWluZzoNCg0KICAgICAgIFN0 cmljdC1UcmFuc3BvcnQtU2VjdXJpdHkgPSAiU3RyaWN0LVRyYW5zcG9ydC1TZWN1cml0eSIgIjoi DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICooICI7IiBbIGRpcmVjdGl2ZSBd ICkNCg0KLS0gDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiBSZXBvcnRlcjogICAgICAgICAgICAgICB8 ICAgICAgIE93bmVyOiAgZHJhZnQtaWV0Zi13ZWJzZWMtc3RyaWN0LQ0KICBqZWZmLmhvZGdlc0Di gKYgICAgICAgICAgfCAgdHJhbnNwb3J0LXNlY0DigKYNCiAgICAgVHlwZTogIGRlZmVjdCAgICAg ICB8ICAgICAgU3RhdHVzOiAgbmV3DQogUHJpb3JpdHk6ICBtYWpvciAgICAgICAgfCAgIE1pbGVz dG9uZToNCkNvbXBvbmVudDogIHN0cmljdC0gICAgICB8ICAgICBWZXJzaW9uOg0KICB0cmFuc3Bv cnQtc2VjICAgICAgICAgIHwgIFJlc29sdXRpb246DQogU2V2ZXJpdHk6ICBBY3RpdmUgV0cgICAg fA0KICBEb2N1bWVudCAgICAgICAgICAgICAgIHwNCiBLZXl3b3JkczogICAgICAgICAgICAgICB8 DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KVGlja2V0IFVSTDogPGh0dHA6Ly90cmFjLnRvb2xzLmll dGYub3JnL3dnL3dlYnNlYy90cmFjL3RpY2tldC8zMyNjb21tZW50OjM+DQp3ZWJzZWMgPGh0dHA6 Ly90b29scy5pZXRmLm9yZy93ZWJzZWMvPg0KDQoNCg== From tobias.gondrom@gondrom.org Sun Mar 18 15:31:33 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCD3221F850D for ; Sun, 18 Mar 2012 15:31:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.89 X-Spam-Level: X-Spam-Status: No, score=-95.89 tagged_above=-999 required=5 tests=[AWL=-0.601, BAYES_05=-1.11, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdAP8JTSNmii for ; Sun, 18 Mar 2012 15:31:33 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 9CD6721F84DC for ; Sun, 18 Mar 2012 15:31:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=hBrfymWvQgCCMUisMIt3LTYb5qmpa8OCFFWw+xFAbGxL+20NAPfymX8WONbZciLt86e1I4AZqlICD+4UATNcGJeWRVVd/iMwVb/XuoIPksccfj5FD48Sz81QgtA1v44X; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:Content-Type:Content-Transfer-Encoding; Received: (qmail 9220 invoked from network); 18 Mar 2012 23:31:27 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.76?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Mar 2012 23:31:27 +0100 Message-ID: <4F66623F.9000300@gondrom.org> Date: Sun, 18 Mar 2012 22:31:27 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: websec@ietf.org X-Priority: 2 (High) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2012 22:31:34 -0000 Hello dear websec fellows, after reading the feedback, tracker entries and the updates on the HSTS draft, the WG chairs and secretary have the impression that the draft is in good shape and we like to ask for WG Last Call for this document: http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 As we are close to the IETF meeting in Paris, this last call will be extended to three weeks and close on April-9. Please make a last careful review of the draft and submit comments, questions and discuss items for this draft ASAP. You can submit them via email to the mailing-list or make entries for HSTS in the tracker. If you perceive any major issues, it might also make sense to raise them during our meeting in Paris on March-26. Kind regards and thank you, Tobias chair of websec Tobias Gondrom email: tobias.gondrom@gondrom.org mobile: +447521003005 From tobias.gondrom@gondrom.org Sun Mar 18 17:52:28 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DDBC21F85AF for ; Sun, 18 Mar 2012 17:52:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.567 X-Spam-Level: X-Spam-Status: No, score=-96.567 tagged_above=-999 required=5 tests=[AWL=0.211, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0Zvsp7EXOLG for ; Sun, 18 Mar 2012 17:52:27 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5F221F85AD for ; Sun, 18 Mar 2012 17:52:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=fl9/EoKTGinNEK+ChvVtZrSgWIqbYnTIuj8F5p8/hvZI5wkWfhxbMLI4u3Kwui0Q63+eL6AQ8kKez+mQX7n6B23IKe8HiGkMKjVZm43cKoZtCppr99r7aHXHk1XwjWTG; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:Content-Type:Content-Transfer-Encoding; Received: (qmail 9737 invoked from network); 19 Mar 2012 01:51:53 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.76?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Mar 2012 01:51:53 +0100 Message-ID: <4F668329.2050001@gondrom.org> Date: Mon, 19 Mar 2012 00:51:53 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: websec@ietf.org X-Priority: 2 (High) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [websec] websec meeting in Paris - agenda topics? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2012 00:52:28 -0000 Hello dear websec fellows, the websec meeting in Paris has been scheduled for Monday March-26, Afternoon Session I 1300-1500 in Room Name: 242AB. Very much looking forward to seeing you all there! We have a lot of upcoming topics and I hope we can make great progress on a number of them: WG Last Call on HSTS (Jeff), the new draft on extended-origin, we should check back on the cert pinning draft, revisit what we want to do with mime sniffing, and also consider future steps regarding CSP header field and Frame-Options ... The current agenda ideas are here: http://www.ietf.org/proceedings/83/agenda/agenda-83-websec.txt Please document authors and interested presenters contact me ASAP about how much time you need to present. As we are currently preparing the agenda for the websec meeting, please submit proposals for presentations and discussions to Alexey, Yoav and myself as soon as possible as we will have to prepare and close the agenda for websec soon tomorrow. Kind regards and looking forward to seeing you all in Paris, Tobias (websec co-chair) From julian.reschke@gmx.de Mon Mar 19 02:35:49 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC2E321F8607 for ; Mon, 19 Mar 2012 02:35:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.477 X-Spam-Level: X-Spam-Status: No, score=-103.477 tagged_above=-999 required=5 tests=[AWL=-0.878, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qk9M0krXYLfl for ; Mon, 19 Mar 2012 02:35:49 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 812E021F8606 for ; Mon, 19 Mar 2012 02:35:48 -0700 (PDT) Received: (qmail invoked by alias); 19 Mar 2012 09:35:47 -0000 Received: from p57A6F533.dip.t-dialin.net (EHLO [192.168.178.36]) [87.166.245.51] by mail.gmx.net (mp001) with SMTP; 19 Mar 2012 10:35:47 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1/7kM5Srij77FLJXZTPSxkf+v6qkyn1QawquPi4FX UOntV+0yvOxCuh Message-ID: <4F66FDF1.9090306@gmx.de> Date: Mon, 19 Mar 2012 10:35:45 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: Tobias Gondrom References: <4F66623F.9000300@gondrom.org> In-Reply-To: <4F66623F.9000300@gondrom.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2012 09:35:49 -0000 On 2012-03-18 23:31, Tobias Gondrom wrote: > Hello dear websec fellows, > > after reading the feedback, tracker entries and the updates on the HSTS > draft, the WG chairs and secretary have the impression that the draft is > in good shape and we like to ask for WG Last Call for this document: > http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 > > As we are close to the IETF meeting in Paris, this last call will be > extended to three weeks and close on April-9. Please make a last careful > review of the draft and submit comments, questions and discuss items for > this draft ASAP. You can submit them via email to the mailing-list or > make entries for HSTS in the tracker. If you perceive any major issues, > it might also make sense to raise them during our meeting in Paris on > March-26. > > Kind regards and thank you, > ... I'd like to point out that I still think my concerns over the inconsistent use of quoted-string () are valid and not addressed; and I think they should be before you go to IETF LC. Note that since we had a long discussion with Adam Barth about quoted-string, Chrome has started supporting it in Content-Disposition, and a similar fix for Content-Type is in preparation (). In Jeff points out that Firefox doesn't support quoted-string in all parameters, but IMHO that's a bogus argument because it currently doesn't support q-s *at all*; so it will need to be fixed to conform to the current spec as well (see ). I believe this could be a useful discussion topic for Paris. Best regards, Julian From marsh@extendedsubset.com Mon Mar 19 10:05:08 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3307021F8852 for ; Mon, 19 Mar 2012 10:05:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.574 X-Spam-Level: X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LV1lO2EVkAmN for ; Mon, 19 Mar 2012 10:05:07 -0700 (PDT) Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by ietfa.amsl.com (Postfix) with ESMTP id 9458521F884F for ; Mon, 19 Mar 2012 10:05:07 -0700 (PDT) Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from ) id 1S9g14-000G7v-76; Mon, 19 Mar 2012 17:05:06 +0000 Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id B39CA6081; Mon, 19 Mar 2012 17:05:04 +0000 (UTC) X-Mail-Handler: MailHop Outbound by DynDNS X-Originating-IP: 69.164.193.58 X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX193lfibhIt0DiIuz0ZhCIbj0jLB+0p59zg= Message-ID: <4F676740.2040509@extendedsubset.com> Date: Mon, 19 Mar 2012 12:05:04 -0500 From: Marsh Ray User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19 MIME-Version: 1.0 To: Julian Reschke References: <4F66623F.9000300@gondrom.org> <4F66FDF1.9090306@gmx.de> In-Reply-To: <4F66FDF1.9090306@gmx.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2012 17:05:08 -0000 On 03/19/2012 04:35 AM, Julian Reschke wrote: > I'd like to point out that I still think my concerns over the > inconsistent use of quoted-string > () > are valid and not addressed; and I think they should be before you go to > IETF LC. As a developer at a company which makes a product that makes security decisions based on parsing HTTP headers I find Julian's concerns, well, concerning. While we don't currently operate on this specific header, ambiguities in how an application server will interpret minor variations on header values often become opportunities for an attacker to bypass security measures. For example, a "web application firewall" (WAF) may be configured to forbid certain values of a customer-specified header. When new headers don't follow consistent syntactic rules, it takes away a bit of the developer's ability to simply things for his customer. Again, I'm not claiming to be an expert on this particular header and clearly it's a difficult issue with arguments for doing it both ways. But I would ask that everyone try their best to find the least-bad alternative with an emphasis on consistency with the rest of HTTP. - Marsh From tobias.gondrom@gondrom.org Mon Mar 19 12:59:12 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 270F121F86F7 for ; Mon, 19 Mar 2012 12:59:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.588 X-Spam-Level: X-Spam-Status: No, score=-96.588 tagged_above=-999 required=5 tests=[AWL=0.190, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jeuoGsNoUgf for ; Mon, 19 Mar 2012 12:59:11 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 02D0621F86F6 for ; Mon, 19 Mar 2012 12:59:10 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=jhsLr0yyySY/sOcpdH1aPYcRXlGWe7DA0fQqjJuFtGmkcrArO+u877+ehk32fHBIP8lt7P2CoUdcClgWHZAnXXUaoljxhobAt2khzID0JSj3uQDlDO3/54dpqSqL+6fH; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:X-Priority:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 1170 invoked from network); 19 Mar 2012 20:59:08 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.76?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Mar 2012 20:59:08 +0100 Message-ID: <4F67900C.8000908@gondrom.org> Date: Mon, 19 Mar 2012 19:59:08 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: julian.reschke@gmx.de X-Priority: 4 (Low) References: <4F66623F.9000300@gondrom.org> <4F66FDF1.9090306@gmx.de> In-Reply-To: <4F66FDF1.9090306@gmx.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2012 19:59:12 -0000 Julian, thank you for the reminder. I agree that we have to discuss this during our WG LC (and before we go to IETF LC). Definitely yes, to discuss this at our meeting in Paris. Best regards, Tobias On 19/03/12 09:35, Julian Reschke wrote: > On 2012-03-18 23:31, Tobias Gondrom wrote: >> Hello dear websec fellows, >> >> after reading the feedback, tracker entries and the updates on the HSTS >> draft, the WG chairs and secretary have the impression that the draft is >> in good shape and we like to ask for WG Last Call for this document: >> http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 >> >> As we are close to the IETF meeting in Paris, this last call will be >> extended to three weeks and close on April-9. Please make a last careful >> review of the draft and submit comments, questions and discuss items for >> this draft ASAP. You can submit them via email to the mailing-list or >> make entries for HSTS in the tracker. If you perceive any major issues, >> it might also make sense to raise them during our meeting in Paris on >> March-26. >> >> Kind regards and thank you, >> ... > > I'd like to point out that I still think my concerns over the > inconsistent use of quoted-string > () > are valid and not addressed; and I think they should be before you go > to IETF LC. > > Note that since we had a long discussion with Adam Barth about > quoted-string, Chrome has started supporting it in > Content-Disposition, and a similar fix for Content-Type is in > preparation > (). > > In > Jeff points out that Firefox doesn't support quoted-string in all > parameters, but IMHO that's a bogus argument because it currently > doesn't support q-s *at all*; so it will need to be fixed to conform > to the current spec as well (see > ). > > I believe this could be a useful discussion topic for Paris. > > Best regards, Julian From alexey.melnikov@isode.com Mon Mar 19 13:23:55 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA87421F881C for ; Mon, 19 Mar 2012 13:23:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46jOen7SYiPh for ; Mon, 19 Mar 2012 13:23:55 -0700 (PDT) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id 70BE621F87DF for ; Mon, 19 Mar 2012 13:23:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332188627; d=isode.com; s=selector; i=@isode.com; bh=P1Rr+hCqLxtrowQjNooofAtYRQgVPpIKFkaz7YmV30o=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=J2N0+ixhRi8VpTVdk7IvrB6JsSCkHxQ8oedZo7dGGwFr7KEB7w4G7tEfwqeZjK2xbcNVnn PqvtgrmMhalKYL0n6/6Bx03AwY+fLL5q/5hoVvXX8sNCksS5DV1eywDBPGIAne0ttxZl1D Jf4KkQbfmuR8tYK9xszVr6s40dP47Iw=; Received: from [188.29.240.8] (188.29.240.8.threembb.co.uk [188.29.240.8]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id ; Mon, 19 Mar 2012 20:23:46 +0000 X-SMTP-Protocol-Errors: PIPELINING Message-ID: <4F678DFA.10009@isode.com> Date: Mon, 19 Mar 2012 19:50:18 +0000 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 To: websec@ietf.org References: <4F66623F.9000300@gondrom.org> In-Reply-To: <4F66623F.9000300@gondrom.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2012 20:23:56 -0000 On 18/03/2012 22:31, Tobias Gondrom wrote: > Hello dear websec fellows, > > after reading the feedback, tracker entries and the updates on the > HSTS draft, the WG chairs and secretary have the impression that the > draft is in good shape and we like to ask for WG Last Call for this > document: > http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 > > As we are close to the IETF meeting in Paris, this last call will be > extended to three weeks and close on April-9. Please make a last > careful review of the draft and submit comments, questions and discuss > items for this draft ASAP. You can submit them via email to the > mailing-list or make entries for HSTS in the tracker. If you perceive > any major issues, it might also make sense to raise them during our > meeting in Paris on March-26. I just would like to add that raising issues at a microphone in Paris doesn't replace sending them in email/opening a tracker ticket. And WG chairs would really appreciate reviews before March 26th. > > Kind regards and thank you, > > Tobias > chair of websec Alexey, WebSec co-chair. From sm@resistor.net Tue Mar 20 08:53:10 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E42221F8602 for ; Tue, 20 Mar 2012 08:53:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.629 X-Spam-Level: X-Spam-Status: No, score=-102.629 tagged_above=-999 required=5 tests=[AWL=-0.030, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWeEcv9d2w2f for ; Tue, 20 Mar 2012 08:53:08 -0700 (PDT) Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B6F621F847C for ; Tue, 20 Mar 2012 08:53:08 -0700 (PDT) Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id q2KFqvV3020075; Tue, 20 Mar 2012 08:53:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1332258783; i=@resistor.net; bh=I9ROfrxg3s4SS7eEL3Dr8o+gmjair+TGVqnQH/rV2Z4=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=CXLq+L7WEAYWHtZfAaQ7nrYqeNKDm/lN+olyafjf3E85w3s8fVZNx5JpxM2BwnKla KbfS3+kJcuxODtTVkkVCqE9Sb12XQDzoU9XGURF0S7bBNOpZ4P7XMMbfwiwk3Tm83d ipTwcvisQ/WEl7IexGPp2pS8uaQEuyQi38PuV1LU= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1332258783; i=@resistor.net; bh=I9ROfrxg3s4SS7eEL3Dr8o+gmjair+TGVqnQH/rV2Z4=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=jjbdiI5bQyw5NzFqdT1RoWJUhMBNq31/TZJz4aas+qAEC/UeuiqeDGkbdjG0srmU4 Nj5ig5aOHJnY0OO4vZ7Lg6gcMpnU2Bj3arBNAFPANztaSYXF7vNFzQaM806y9qAT4m xNut9cXcVx62BfgZ/VqGayyAtvlEkWLFktQNLnkg= Message-Id: <6.2.5.6.2.20120320082723.09b07fa8@resistor.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6 Date: Tue, 20 Mar 2012 08:29:25 -0700 To: Julian Reschke From: SM In-Reply-To: <4F66FDF1.9090306@gmx.de> References: <4F66623F.9000300@gondrom.org> <4F66FDF1.9090306@gmx.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2012 15:53:10 -0000 Hi Julian, At 02:35 19-03-2012, Julian Reschke wrote: >I'd like to point out that I still think my concerns over the >inconsistent use of quoted-string >() > are valid and not addressed; and I think they should be before you >go to IETF LC. Wasn't a similar issue raised in another WG recently? Regards, -sm From julian.reschke@gmx.de Tue Mar 20 09:01:14 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BAA021F85A1 for ; Tue, 20 Mar 2012 09:01:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.402 X-Spam-Level: X-Spam-Status: No, score=-104.402 tagged_above=-999 required=5 tests=[AWL=-1.803, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lad2ptmOIE82 for ; Tue, 20 Mar 2012 09:01:13 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 336AC21F861C for ; Tue, 20 Mar 2012 09:01:13 -0700 (PDT) Received: (qmail invoked by alias); 20 Mar 2012 16:01:12 -0000 Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp034) with SMTP; 20 Mar 2012 17:01:12 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX19b87E/RxJbj9aNE2I3r0Xo6n9kuyI3J88Qm8eIKQ 3EUFsEOsBGDqk9 Message-ID: <4F68A9C7.1060309@gmx.de> Date: Tue, 20 Mar 2012 17:01:11 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: SM References: <4F66623F.9000300@gondrom.org> <4F66FDF1.9090306@gmx.de> <6.2.5.6.2.20120320082723.09b07fa8@resistor.net> In-Reply-To: <6.2.5.6.2.20120320082723.09b07fa8@resistor.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2012 16:01:14 -0000 On 2012-03-20 16:29, SM wrote: > Hi Julian, > At 02:35 19-03-2012, Julian Reschke wrote: >> I'd like to point out that I still think my concerns over the >> inconsistent use of quoted-string >> () >> are valid and not addressed; and I think they should be before you go >> to IETF LC. > > Wasn't a similar issue raised in another WG recently? > ... Indeed; in the context of the auth parameters in the OAuth Bearer authentication scheme. There's a slight difference though, the Bearer spec defined new parameters for an HTTP header field that already exists (WWW-Authenticate), while STS is a completely new header field. In the first case, it's a bug (that got fixed), in this case it's "just" a bad idea. Note that HTTPbis P2 has advice with respect to this: "Many header fields use a format including (case-insensitively) named parameters (for instance, Content-Type, defined in Section 6.8 of [Part3]). Allowing both unquoted (token) and quoted (quoted-string) syntax for the parameter value enables recipients to use existing parser components. When allowing both forms, the meaning of a parameter value ought to be independent of the syntax used for it (for an example, see the notes on parameter handling for media types in Section 2.3 of [Part3])." -- Best regards, Julian From paul.hoffman@vpnc.org Tue Mar 20 18:22:02 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E19021F855B for ; Tue, 20 Mar 2012 18:22:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.672 X-Spam-Level: X-Spam-Status: No, score=-102.672 tagged_above=-999 required=5 tests=[AWL=-0.073, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rmu+JpaJp3lW for ; Tue, 20 Mar 2012 18:22:01 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 9F8B921F8559 for ; Tue, 20 Mar 2012 18:22:01 -0700 (PDT) Received: from [10.20.30.101] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q2L1LvP6038123 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 20 Mar 2012 18:21:58 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=us-ascii From: Paul Hoffman X-Priority: 2 (High) In-Reply-To: <4F66623F.9000300@gondrom.org> Date: Tue, 20 Mar 2012 18:21:57 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4F66623F.9000300@gondrom.org> To: IETF WebSec WG X-Mailer: Apple Mail (2.1257) Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2012 01:22:02 -0000 Greetings again. I have read the draft again, and am quite happy that = this is moving forwards. Having said that, I have a list of issues that = I think need to be dealt with, and a few editorial issues. --Paul Hoffman Significant: This document pretends that the TLSA protocol from the DANE WG will not = exist. This is a tad odd, given that TLSA is likely to be published a = few weeks before HSTS. In specific, bullet 2 of section 2.2 and all of = section 10.2 are written as if self-signed certificates will always = cause HTST-compliant browsers to fail, even if those certificates cause = matching when used with TLSA. Proposed replacements: 2. The UA terminates any secure transport connection attempts upon any and all secure transport errors or warnings, including those caused by a web application presenting a certificate that does chain to a trusted root or match a trusted certificate = association from the TLSA protocol [I-D.draft-ietf-dane-protocol]. . . . If a web site/organization/enterprise is generating their own secure transport public-key certificates for web sites, and that organization's root certification authority (CA) certificate is not typically embedded by default in browser CA certificate stores, and if HSTS Policy is enabled on a site identifying itself using a self- signed certificate, and the certificate presented by the TLS server does not match a trusted certificate association from the TLSA protocol [I-D.draft-ietf-dane-protocol], then secure connections to that site will fail, per the HSTS design. This is to protect against various active attacks, as discussed above. However, if said organization strongly wishes to employ self-signed certificates, and their own CA in concert with HSTS, they can do so by deploying their root CA certificate to their users' browsers. They can also, in addition or instead, distribute to their users' browsers the end-entity certificate(s) for specific hosts. There are various ways in which this can be accomplished (details are out of scope for this specification). Once their root CA certificate is installed in the browsers, they may employ HSTS Policy on their site(s). Alternately, that organization can deploy the TLSA protocol; all browsers that also use TLSA will then be able to trust the self-signed certificates if it announced through TLSA. Note: Interactively distributing root CA certificates to users, e.g., via email, and having the users install them, is arguably training the users to be susceptible to a possible form of phishing attack, see Section 14.6 "Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack". Moderate: In section 8.1.2, I don't know what "ignoring separator characters" = means, and suspect it will cause pain if left this way. [I-D.ietf-tls-ssl-version3] is not a "work in progress". I'll take this = up on the rfc-interest mailing list, and nothing needs to be done here. RFC 2818 is listed as a normative reference, and yet it is = Informational. This will need to be called out in the PROTO report. = Alternately, it can be called an informative reference, since one does = not need to understand it in order to implement this document. I have alerted the idna-update mailing list of this WG LC. This might = cause some helicoptered-in comments, but better now than during IETF LC. Editorial: "annunciate" (used a few times) is a fancy word for "announce". Maybe = use the far more common word instead. In section 3.1, "suboptimal downside" is unclear. Is there an optimal = downside? I suggest replacing it with "negative". The lead sentences in sections 11.2, 11.4, and 11.5 lack verbs; verbs = are used in 11.1 and 11.3. This should be an easy fix.= From ynir@checkpoint.com Wed Mar 21 01:56:28 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96DCA21F85A2 for ; Wed, 21 Mar 2012 01:56:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.494 X-Spam-Level: X-Spam-Status: No, score=-10.494 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YbIWQ3aHUIh6 for ; Wed, 21 Mar 2012 01:56:27 -0700 (PDT) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 467D921F85A1 for ; Wed, 21 Mar 2012 01:56:25 -0700 (PDT) Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q2L8uOQx008610 for ; Wed, 21 Mar 2012 10:56:24 +0200 X-CheckPoint: {4F699737-1-1B221DC2-5FFFF} Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 21 Mar 2012 10:56:23 +0200 Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Wed, 21 Mar 2012 10:56:23 +0200 From: Yoav Nir To: "websec@ietf.org WG" Importance: high X-Priority: 1 Date: Wed, 21 Mar 2012 10:56:26 +0200 Thread-Topic: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 Thread-Index: Ac0HQH3PzWy8GO7vRra4q2RTQiuJWA== Message-ID: References: <4F66623F.9000300@gondrom.org> In-Reply-To: <4F66623F.9000300@gondrom.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-KSE-AntiSpam-Interceptor-Info: protection disabled Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2012 08:56:28 -0000 Hi I have two significant comment, and several editorial. The significant:=20 I have said this before, and was rejected by the group, so I'll raise this = one last time here.=20 Section 8.3 makes it a MUST-level requirement that any failure of the under= lying secure transport. Section 11.1 clarifies that there should be no user= recourse for this. This makes the cost of implementing unreasonably high, = and significantly discourages trial roll-outs. Adding an HSTS header to you= r web site takes about 2 lines of configuration file in Apache. But doing s= o makes small errors like letting the certificate lapse or using links with= a different FQDN cause hard failures. Both these sections do now state spe= cifically what constitutes a failure, so it might be that the intention was= not to include expirations. I think this should be clarified, but mismatch= ed names obviously apply. I suggest that either we remove the no user recourse advice, or else add a = "hardfail" directive. Roll out with "hardfail=3Dno", and if people don't co= mplain, change to "hardfail=3Dyes" Section 10.3 discusses the case where the server or some subdomain also hos= ts CRLs or OCSP and suggests some work-around to the "all TCP" port require= ment. Fetching CRLs is a different context than rendering a web page. I thi= nk the suggestions should be removed and a sentence added that says that th= e STS policy does not apply to fetching of revocation information by the br= owser. I think this would be far easier to implement. Editorial: In the introduction 2nd paragraph it says "(although modulo other rules)". = s/modulo/subject to/. Also, replace "annunciate" with "announce" or "indicate". Both the introduction and section 8.2 say the policy applies to "all TCP po= rts". Hosts have multiple TCP ports: for SSH as an example. I suggest we ch= ange to "all HTTP(S) ports" In the title of section 8.5, I think we can do without the word "Interstiti= ally". Section 10.1 begins with "Server implementations and deploying web sites ne= ed to consider whether they are setting=85". Searching for the alternative = (because an implied "or not" doesn't work for this sentence) took me to the= 4th paragraph of this section, and the top of page 21, which begins with "= Or, whether they are setting". This won't make it past the RFC editor, but = I think it should be rephrased earlier. Section 14.1 discusses a UA behind an SSL proxy and implies that such a con= nection will cause warning screens (without HSTS) or hard failures. Such a = deployment would be considered a wrong deployment of an SSL proxy. Administ= rators usually configure the UAs that are managed, and give detailed instru= ctions to the owners of UAs that are not managed, so that the CA used by th= e proxy is trusted. There should be no warnings and no hard failures. Yoav On Mar 19, 2012, at 12:31 AM, Tobias Gondrom wrote: > Hello dear websec fellows, >=20 > after reading the feedback, tracker entries and the updates on the HSTS=20 > draft, the WG chairs and secretary have the impression that the draft is= =20 > in good shape and we like to ask for WG Last Call for this document: > http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 >=20 > As we are close to the IETF meeting in Paris, this last call will be=20 > extended to three weeks and close on April-9. Please make a last careful= =20 > review of the draft and submit comments, questions and discuss items for= =20 > this draft ASAP. You can submit them via email to the mailing-list or=20 > make entries for HSTS in the tracker. If you perceive any major issues,=20 > it might also make sense to raise them during our meeting in Paris on=20 > March-26. >=20 > Kind regards and thank you, >=20 > Tobias > chair of websec From paul.hoffman@vpnc.org Wed Mar 21 07:37:08 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DABF921F8656 for ; Wed, 21 Mar 2012 07:37:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.672 X-Spam-Level: X-Spam-Status: No, score=-102.672 tagged_above=-999 required=5 tests=[AWL=-0.073, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHnYEvgPObtL for ; Wed, 21 Mar 2012 07:37:08 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id B1FCB21F8503 for ; Wed, 21 Mar 2012 07:36:46 -0700 (PDT) Received: from [10.20.30.101] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q2LEahHw065025 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 21 Mar 2012 07:36:44 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1257) From: Paul Hoffman In-Reply-To: <4F66FDF1.9090306@gmx.de> Date: Wed, 21 Mar 2012 07:36:44 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <4F34D887-38D0-4011-8E1D-77B6F923F6C6@vpnc.org> References: <4F66623F.9000300@gondrom.org> <4F66FDF1.9090306@gmx.de> To: IETF WebSec WG X-Mailer: Apple Mail (2.1257) Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2012 14:37:09 -0000 On Mar 19, 2012, at 2:35 AM, Julian Reschke wrote: > I'd like to point out that I still think my concerns over the = inconsistent use of quoted-string = () = are valid and not addressed; and I think they should be before you go to = IETF LC. >=20 > Note that since we had a long discussion with Adam Barth about = quoted-string, Chrome has started supporting it in Content-Disposition, = and a similar fix for Content-Type is in preparation = (). >=20 > In = Jeff points out that Firefox doesn't support quoted-string in all = parameters, but IMHO that's a bogus argument because it currently = doesn't support q-s *at all*; so it will need to be fixed to conform to = the current spec as well (see = ). +1. This is an important topic. --Paul Hoffman From paul.hoffman@vpnc.org Wed Mar 21 07:44:27 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DC3021F8639 for ; Wed, 21 Mar 2012 07:44:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.671 X-Spam-Level: X-Spam-Status: No, score=-102.671 tagged_above=-999 required=5 tests=[AWL=-0.072, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Iwd1eyl6p1u for ; Wed, 21 Mar 2012 07:44:26 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 919A821F861C for ; Wed, 21 Mar 2012 07:44:26 -0700 (PDT) Received: from [10.20.30.101] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q2LEiPri065681 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 21 Mar 2012 07:44:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=windows-1252 From: Paul Hoffman X-Priority: 1 In-Reply-To: Date: Wed, 21 Mar 2012 07:44:26 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4F66623F.9000300@gondrom.org> To: "websec@ietf.org WG" X-Mailer: Apple Mail (2.1257) Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2012 14:44:27 -0000 On Mar 21, 2012, at 1:56 AM, Yoav Nir wrote: > I have said this before, and was rejected by the group, so I'll raise = this one last time here.=20 > Section 8.3 makes it a MUST-level requirement that any failure of the = underlying secure transport. Section 11.1 clarifies that there should be = no user recourse for this. This makes the cost of implementing = unreasonably high, and significantly discourages trial roll-outs. Adding = an HSTS header to your web site takes about 2 lines of configuration = file in Apache. But doing so makes small errors like letting the = certificate lapse or using links with a different FQDN cause hard = failures. Both these sections do now state specifically what constitutes = a failure, so it might be that the intention was not to include = expirations. I think this should be clarified, but mismatched names = obviously apply. > I suggest that either we remove the no user recourse advice, or else = add a "hardfail" directive. Roll out with "hardfail=3Dno", and if people = don't complain, change to "hardfail=3Dyes" I support this idea. As we have seen with the rollout of DNSSEC, = hardfails turn into bad publicity, which then turn into delayed = deployment. The browser industry experiments with different ways to = alert the user or hardfail, and the addition of this option would aid = those experiments. > Section 10.3 discusses the case where the server or some subdomain = also hosts CRLs or OCSP and suggests some work-around to the "all TCP" = port requirement. Fetching CRLs is a different context than rendering a = web page. I think the suggestions should be removed and a sentence added = that says that the STS policy does not apply to fetching of revocation = information by the browser. I think this would be far easier to = implement. This is a very good idea and will lead to fewer surprises. There is no = need to SSL-protect CRL fetches. In fact, requiring SSL-protection on = CRL fetches is impossible, since you need the CRL in order to get the = CRL. --Paul Hoffman From Jeff.Hodges@KingsMountain.com Fri Mar 23 16:01:30 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 050BF21F855D for ; Fri, 23 Mar 2012 16:01:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.746 X-Spam-Level: X-Spam-Status: No, score=-98.746 tagged_above=-999 required=5 tests=[AWL=-0.851, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sgmy6sT6ipiv for ; Fri, 23 Mar 2012 16:01:29 -0700 (PDT) Received: from oproxy8-pub.bluehost.com (oproxy8.bluehost.com [IPv6:2605:dc00:100:2::a8]) by ietfa.amsl.com (Postfix) with SMTP id 6320221F855A for ; Fri, 23 Mar 2012 16:01:29 -0700 (PDT) Received: (qmail 521 invoked by uid 0); 23 Mar 2012 22:01:38 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy8.bluehost.com with SMTP; 23 Mar 2012 22:01:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=J0MDEtXeHzkRQwsygsGbeXfvc3izN6UndZMlA3jv5D0=; b=os/Ly6pToR1FXrjJXlawDjg38GUZWJXkLWB+RR1obgf0KrrSrBkxhOOVz3Rzfz3DZmIPnQuBwV4VRDb68x9+PRphiGJY08lRj6Rd6THTQY4UiNpmIATdfEuhTwVT2KUo; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.56]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1SBDU6-00062Y-Jo for websec@ietf.org; Fri, 23 Mar 2012 17:01:26 -0600 Message-ID: <4F6D00C2.6090805@KingsMountain.com> Date: Fri, 23 Mar 2012 16:01:22 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2012 23:01:30 -0000 James.H.Manger@team.telstra.com wrote: > > The ABNF for the Strict-Transport-Security header looks wrong. It now > *requires* a leading ";" before the first directive. yes, it's broken as you indicate, and you aren't the only person to have noticed it. I apologize (to all), I didn't thoroughly vet the suggested change to the ABNF before incorporating it. doh. I suspect Julian just didn't look closely at his suggestion before posting it.. https://www.ietf.org/mail-archive/web/websec/current/msg01020.html > I suggest the following ABNF. > > Strict-Transport-Security = "Strict-Transport-Security" ":" > directive *( ";" directive ) > > directive = [ token [ "=" ( token | quoted-string ) ] ] Well, I've been counseled in the past (and agree with it) that having an ABNF production that is potentially totally null is not such a good idea. Perhaps this approach addresses this problem and is closer to what Julian intended.. Strict-Transport-Security = "Strict-Transport-Security" ":" [ directive ] *( ";" [ directive ] ) directive = token [ "=" ( token | quoted-string ) ] ? thanks, =JeffH From martin.thomson@gmail.com Fri Mar 23 16:16:35 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E45021F8550 for ; Fri, 23 Mar 2012 16:16:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.62 X-Spam-Level: X-Spam-Status: No, score=-4.62 tagged_above=-999 required=5 tests=[AWL=-1.021, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptpYwbniaO-5 for ; Fri, 23 Mar 2012 16:16:34 -0700 (PDT) Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 379BF21F854D for ; Fri, 23 Mar 2012 16:16:34 -0700 (PDT) Received: by bkuw5 with SMTP id w5so3342843bku.31 for ; Fri, 23 Mar 2012 16:16:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Oh4qOEQcz+eDnQuuNsvLQRk9K4Nj1olP1ZtYhEebUR4=; b=dkMn8fhtekh/vim/ozv7NDcOKiApl0i/l+Nu6M9JL7FCsof0foK1pAxTMSQV+NPb6V sRrN7mbTXYrqqhfWTuLwYOm8UbRMBGqR7ZyrI/62fn3cSkud4Sk8z73LZmYhz5v8fi6y abklu1RDASNvFXu2Ab21CSwTh40bhtVVzf5KavXPsSM5PUV4K6NH+nTrnznMh4acEHH1 +nwiPLKW7HJMDNv3PPG8YpD2EgsfO2yGFdSucF8XIcUoowu5dRPpCGAP09PFqhAIUmnS 4qBHtXd32VbTeAZL6N0A5yFXrkTaEKBs6ta/4fYOSILGnSSP6HVCV2bhYzzDypVxoq9U zkWA== MIME-Version: 1.0 Received: by 10.204.154.210 with SMTP id p18mr2068241bkw.122.1332544593302; Fri, 23 Mar 2012 16:16:33 -0700 (PDT) Received: by 10.204.121.208 with HTTP; Fri, 23 Mar 2012 16:16:33 -0700 (PDT) In-Reply-To: <4F6D00C2.6090805@KingsMountain.com> References: <4F6D00C2.6090805@KingsMountain.com> Date: Fri, 23 Mar 2012 16:16:33 -0700 Message-ID: From: Martin Thomson To: "=JeffH" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: IETF WebSec WG Subject: Re: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2012 23:16:35 -0000 On 23 March 2012 16:01, =3DJeffH wrote: >> I suggest the following ABNF. >> >> =C2=A0 Strict-Transport-Security =3D "Strict-Transport-Security" ":" >> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0directive *( ";" directive = ) >> >> =C2=A0 directive =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =3D [ token [ "=3D" ( token | quoted-string ) ] ] > > > Well, I've been counseled in the past (and agree with it) that having an > ABNF production that is potentially totally null is not such a good idea. > > Perhaps this approach addresses this problem and is closer to what Julian > intended.. > > =C2=A0 =C2=A0 Strict-Transport-Security =3D "Strict-Transport-Security" "= :" > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [ directive ] =C2=A0*( ";" [ directi= ve ] ) > > =C2=A0 =C2=A0 directive =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =3D token [ "=3D" ( token | quoted-string ) ] > That's exactly the same as what I see above, and both have two obvious problems, one of which I think you all missed. You want zero or more directives ? or one or more? for one or more: STS =3D "STS" ":" directive *(";" directive) for zero or more: STS =3D "STS" ":" [ directive *(";" directive) ] and: directive =3D token ["=3D"(token / quoted-string)] Note the second problem: a slash should be used instead of vertical bar. --Martin From Jeff.Hodges@KingsMountain.com Fri Mar 23 16:40:00 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31D7421E801F for ; Fri, 23 Mar 2012 16:40:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.089 X-Spam-Level: X-Spam-Status: No, score=-99.089 tagged_above=-999 required=5 tests=[AWL=-0.453, BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jj+HH0gryAj6 for ; Fri, 23 Mar 2012 16:39:59 -0700 (PDT) Received: from oproxy9.bluehost.com (oproxy9.bluehost.com [IPv6:2605:dc00:100:2::a2]) by ietfa.amsl.com (Postfix) with SMTP id B41EB21E800F for ; Fri, 23 Mar 2012 16:39:59 -0700 (PDT) Received: (qmail 1246 invoked by uid 0); 23 Mar 2012 23:39:58 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy9.bluehost.com with SMTP; 23 Mar 2012 23:39:58 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=IIphQZUkxWr9AcvfE7DW96R9KjPy1ZdG8ku2By9cDo0=; b=7cWVAVQDfpCZMem3rCGWlgxR4R4+T9MA5Zl7/bVZkBiG5xy+oQ4SoxaE4e9/Komb2Vp/vavc+GeQofkVdK9TY4aTS6CoTJMd3joArgeBFDTfq9xt1qwmdZzgY7tDMvQr; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.56]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1SBE5N-0002i6-MK for websec@ietf.org; Fri, 23 Mar 2012 17:39:57 -0600 Message-ID: <4F6D09CA.3000804@KingsMountain.com> Date: Fri, 23 Mar 2012 16:39:54 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: Re: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2012 23:40:00 -0000 hi Martin, > for one or more: > STS = "STS" ":" directive *(";" directive) > for zero or more: > STS = "STS" ":" [ directive *(";" directive) ] > and: > directive = token ["="(token / quoted-string)] I think you've missed the context of the discussion I had with Julian on this a little while ago. https://www.ietf.org/mail-archive/web/websec/current/msg01045.html > Note the second problem: a slash should be used instead of vertical bar. yep, thanks. =JeffH From julian.reschke@gmx.de Sat Mar 24 01:37:43 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF93B21F8643 for ; Sat, 24 Mar 2012 01:37:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.199 X-Spam-Level: X-Spam-Status: No, score=-103.199 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4gZcpM1i-3f for ; Sat, 24 Mar 2012 01:37:43 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 918D221F8486 for ; Sat, 24 Mar 2012 01:37:42 -0700 (PDT) Received: (qmail invoked by alias); 24 Mar 2012 08:37:41 -0000 Received: from p57A6E4F6.dip.t-dialin.net (EHLO [192.168.178.36]) [87.166.228.246] by mail.gmx.net (mp039) with SMTP; 24 Mar 2012 09:37:41 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX182IjlMeJ02EtTgsT2UPsMcpv2xjckT2vR+z8gnbf llRDJkSpG8G+sH Message-ID: <4F6D87D1.9040800@gmx.de> Date: Sat, 24 Mar 2012 09:37:37 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120312 Thunderbird/11.0 MIME-Version: 1.0 To: =JeffH References: <4F6D00C2.6090805@KingsMountain.com> In-Reply-To: <4F6D00C2.6090805@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: IETF WebSec WG Subject: Re: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 08:37:43 -0000 On 2012-03-24 00:01, =JeffH wrote: > James.H.Manger@team.telstra.com wrote: > > > > The ABNF for the Strict-Transport-Security header looks wrong. It now > > *requires* a leading ";" before the first directive. > > yes, it's broken as you indicate, and you aren't the only person to have > noticed it. > > I apologize (to all), I didn't thoroughly vet the suggested change to > the ABNF before incorporating it. doh. > > I suspect Julian just didn't look closely at his suggestion before > posting it.. > > https://www.ietf.org/mail-archive/web/websec/current/msg01020.html > > > > I suggest the following ABNF. > > > > Strict-Transport-Security = "Strict-Transport-Security" ":" > > directive *( ";" directive ) > > > > directive = [ token [ "=" ( token | quoted-string ) ] ] > > > Well, I've been counseled in the past (and agree with it) that having an > ABNF production that is potentially totally null is not such a good idea. Why? (want to know :-) > Perhaps this approach addresses this problem and is closer to what > Julian intended.. > > Strict-Transport-Security = "Strict-Transport-Security" ":" > [ directive ] *( ";" [ directive ] ) > > directive = token [ "=" ( token | quoted-string ) ] > > ? > ... Works for me. Reminder: if the separator character would have been "," in the first place, you wouldn't need to think about this (-> ) Best regards, Julian From alexey.melnikov@isode.com Sat Mar 24 03:02:20 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADADF21F86AF for ; Sat, 24 Mar 2012 03:02:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id seUG8J9pBDId for ; Sat, 24 Mar 2012 03:02:20 -0700 (PDT) Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id C81FC21F8664 for ; Sat, 24 Mar 2012 03:02:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332583335; d=isode.com; s=selector; i=@isode.com; bh=eIElR3UmYcuFChrPmOOlz8VxMzZD1SXE/ACjfoRJUk4=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=TM5E2C2e+hkNtavaJswV97GjPEe1p7R40z5yJyr8jUtVsu3dBn3iChVT/UEqlW/Eu4EmRB 3oevFbyySbZKuPbe9kybazzNZ/KEI0NZ4XG6DnYr6ktXFnkVSWfgjZkHZW5MEeHfQb1ps6 CZ5UY7drEaTo9SGg+P/NQdRRNTKKaqA=; Received: from [130.129.18.66] (dhcp-1242.meeting.ietf.org [130.129.18.66]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id ; Sat, 24 Mar 2012 10:02:15 +0000 X-SMTP-Protocol-Errors: PIPELINING Message-ID: <4F6D9BAC.2020304@isode.com> Date: Sat, 24 Mar 2012 11:02:20 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 To: Martin Thomson References: <4F6D00C2.6090805@KingsMountain.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: IETF WebSec WG Subject: Re: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 10:02:20 -0000 On 24/03/2012 00:16, Martin Thomson wrote: > On 23 March 2012 16:01, =JeffH wrote: [...] > Note the second problem: a slash should be used instead of vertical bar. This is RFC 2616 syntax, not RFC 5234. So no changes needed. From alexey.melnikov@isode.com Sat Mar 24 03:18:39 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EDC921F8702 for ; Sat, 24 Mar 2012 03:18:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54aHv0Za+p7W for ; Sat, 24 Mar 2012 03:18:38 -0700 (PDT) Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 7758321F86B5 for ; Sat, 24 Mar 2012 03:18:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332584317; d=isode.com; s=selector; i=@isode.com; bh=rtiDIt0JJ0ngbC4AxY9LDuJjQtmufOfhk0JLERtDtK8=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=jnesxwKh58O2DK/ES5DdNqdHhHjnSjnQlgP4FmtdBBuCIGwAcn6O6e1kgsSFY3P4SK/tnx JCJH9/jSsMFKmbRNGgIr+C5Uci0CTxNABq2vgwR5PxIayD2EfXQ2RsoQHkgJhwob5tMB9Z GvQW8Lhw/O5GGYL8rxv9M3Dy8/0BvYw=; Received: from [130.129.18.66] (dhcp-1242.meeting.ietf.org [130.129.18.66]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id ; Sat, 24 Mar 2012 10:18:37 +0000 X-SMTP-Protocol-Errors: PIPELINING Message-ID: <4F6D9F83.9000504@isode.com> Date: Sat, 24 Mar 2012 11:18:43 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 To: =JeffH References: <4F6D00C2.6090805@KingsMountain.com> In-Reply-To: <4F6D00C2.6090805@KingsMountain.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: IETF WebSec WG Subject: Re: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 10:18:39 -0000 On 24/03/2012 00:01, =JeffH wrote: > James.H.Manger@team.telstra.com wrote: > > > > The ABNF for the Strict-Transport-Security header looks wrong. It now > > *requires* a leading ";" before the first directive. > > yes, it's broken as you indicate, and you aren't the only person to > have noticed it. > > I apologize (to all), I didn't thoroughly vet the suggested change to > the ABNF before incorporating it. doh. > > I suspect Julian just didn't look closely at his suggestion before > posting it.. > > https://www.ietf.org/mail-archive/web/websec/current/msg01020.html > > > > I suggest the following ABNF. > > > > Strict-Transport-Security = "Strict-Transport-Security" ":" > > directive *( ";" directive ) > > > > directive = [ token [ "=" ( token | quoted-string > ) ] ] > > > Well, I've been counseled in the past (and agree with it) that having > an ABNF production that is potentially totally null is not such a good > idea. > > Perhaps this approach addresses this problem and is closer to what > Julian intended.. > > Strict-Transport-Security = "Strict-Transport-Security" ":" > [ directive ] *( ";" [ directive ] ) > > directive = token [ "=" ( token | quoted-string ) ] > > ? I think this is fine. And you can enforce "can't be totally null" in prose, if you don't want to fix this in ABNF. From julian.reschke@gmx.de Sat Mar 24 03:28:33 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B912A21F86FD for ; Sat, 24 Mar 2012 03:28:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.136 X-Spam-Level: X-Spam-Status: No, score=-103.136 tagged_above=-999 required=5 tests=[AWL=-0.537, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYeHKDoAqZp3 for ; Sat, 24 Mar 2012 03:28:33 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id BE1D721F855A for ; Sat, 24 Mar 2012 03:28:32 -0700 (PDT) Received: (qmail invoked by alias); 24 Mar 2012 10:28:31 -0000 Received: from p57A6E4F6.dip.t-dialin.net (EHLO [192.168.178.36]) [87.166.228.246] by mail.gmx.net (mp027) with SMTP; 24 Mar 2012 11:28:31 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX19unFhhOpNu1JSUn6yhU7QEh3nGMCbMZI7MziqfNf 8BAJ/E14JNQ9pR Message-ID: <4F6DA1BC.7030605@gmx.de> Date: Sat, 24 Mar 2012 11:28:12 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120312 Thunderbird/11.0 MIME-Version: 1.0 To: Alexey Melnikov References: <4F6D00C2.6090805@KingsMountain.com> <4F6D9F83.9000504@isode.com> In-Reply-To: <4F6D9F83.9000504@isode.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: IETF WebSec WG Subject: Re: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 10:28:33 -0000 On 2012-03-24 11:18, Alexey Melnikov wrote: > ... > I think this is fine. And you can enforce "can't be totally null" in > prose, if you don't want to fix this in ABNF. > ... There will always be constraints not checkable in the ABNF. I recommend to keep the ABNF simple (in particular not to include syntactical constructs that vary by parameter name :-), and put all other constraints either into prose, or into separate ABNF rules for specific parameter values. Best regards, Julian From tobias.gondrom@gondrom.org Sat Mar 24 03:32:11 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37FBA21F86FD for ; Sat, 24 Mar 2012 03:32:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.605 X-Spam-Level: X-Spam-Status: No, score=-96.605 tagged_above=-999 required=5 tests=[AWL=0.172, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cv8FiEQebiHE for ; Sat, 24 Mar 2012 03:32:10 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 590B121F86C1 for ; Sat, 24 Mar 2012 03:32:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=U9x1n5yKBTnh9AChFnWEVBDZ8pT7wKPuUSHhqdcA6VkKCuSdk4gnNJViIK6Jt6BZm6XH7QJOC9y+tf6czEkJmweeNnr2da7GUfXnNddI+OaNDbGiSkB1N2E6KdqzBhhs; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type; Received: (qmail 11466 invoked from network); 24 Mar 2012 11:32:05 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.76?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 24 Mar 2012 11:32:05 +0100 Message-ID: <4F6DA2A5.9040103@gondrom.org> Date: Sat, 24 Mar 2012 10:32:05 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120310 Thunderbird/11.0 MIME-Version: 1.0 To: julian.reschke@gmx.de References: <4F6D00C2.6090805@KingsMountain.com> <4F6D9F83.9000504@isode.com> <4F6DA1BC.7030605@gmx.de> In-Reply-To: <4F6DA1BC.7030605@gmx.de> Content-Type: multipart/alternative; boundary="------------020807040303080304070509" Cc: websec@ietf.org Subject: Re: [websec] HSTS ABNF still broken: requires leading semi-colon X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 10:32:11 -0000 This is a multi-part message in MIME format. --------------020807040303080304070509 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 24/03/12 10:28, Julian Reschke wrote: > On 2012-03-24 11:18, Alexey Melnikov wrote: >> ... >> I think this is fine. And you can enforce "can't be totally null" in >> prose, if you don't want to fix this in ABNF. >> ... > > There will always be constraints not checkable in the ABNF. > > I recommend to keep the ABNF simple (in particular not to include > syntactical constructs that vary by parameter name :-), and put all > other constraints either into prose, or into separate ABNF rules for > specific parameter values. > > Best regards, Julian > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec Fully agree with that recommendation. +1 Tobias --------------020807040303080304070509 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 24/03/12 10:28, Julian Reschke wrote:
On 2012-03-24 11:18, Alexey Melnikov wrote:
...
I think this is fine. And you can enforce "can't be totally null" in
prose, if you don't want to fix this in ABNF.
...

There will always be constraints not checkable in the ABNF.

I recommend to keep the ABNF simple (in particular not to include syntactical constructs that vary by parameter name :-), and put all other constraints either into prose, or into separate ABNF rules for specific parameter values.

Best regards, Julian
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

<hat="individual">
Fully agree with that recommendation.
+1

Tobias

--------------020807040303080304070509-- From alexey.melnikov@isode.com Sat Mar 24 05:20:19 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EDFF21F8729 for ; Sat, 24 Mar 2012 05:20:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnH1WUNa6Pwn for ; Sat, 24 Mar 2012 05:20:18 -0700 (PDT) Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 1D22521F8722 for ; Sat, 24 Mar 2012 05:20:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332591617; d=isode.com; s=selector; i=@isode.com; bh=IzrOCcev964WTvVPHVxbQVkM3EO+dioQ85NhWx/DVXU=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=YR4We/oldWjbu4RKN8hLVNvIQwc1Lk0xkXz1/ih9eFmQAGoAH6jggVb+pbAu3e7SeakO0h ZZ0rY21bOq4Gf6GIDx0qOenkQKQT0L26sjlqI6jatO3e3HEDX4NRJjQs843Zb+Y7nWycoX FhQAq8xL3RNInlVbmUzWoa+xshJ++aQ=; Received: from [130.129.18.66] (dhcp-1242.meeting.ietf.org [130.129.18.66]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id ; Sat, 24 Mar 2012 12:20:17 +0000 X-SMTP-Protocol-Errors: PIPELINING Message-ID: <4F6DBC03.4@isode.com> Date: Sat, 24 Mar 2012 13:20:19 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 To: Paul Hoffman References: <4F66623F.9000300@gondrom.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: IETF WebSec WG Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 12:20:19 -0000 On 21/03/2012 01:21, Paul Hoffman wrote: > Greetings again. I have read the draft again, and am quite happy that this is moving forwards. Having said that, I have a list of issues that I think need to be dealt with, and a few editorial issues. > > --Paul Hoffman Hi Paul, Thanks for very good comments. I am agreeing with all of them except for the one thing: > RFC 2818 is listed as a normative reference, and yet it is Informational. I disagree with you, it is normative for the definition of HTTPS. > This will need to be called out in the PROTO report. This would be fine. RFC 2818 is in the DownRef registry, so it doesn't even need to be explicitly called out during IETF LC. > Alternately, it can be called an informative reference, since one does not need to understand it in order to implement this document. From tobias.gondrom@gondrom.org Sat Mar 24 11:28:55 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2DC21F8551 for ; Sat, 24 Mar 2012 11:28:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.62 X-Spam-Level: X-Spam-Status: No, score=-96.62 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oa3vr17wEtK for ; Sat, 24 Mar 2012 11:28:54 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 695BE21F854F for ; Sat, 24 Mar 2012 11:28:54 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=GbKnmLZsotxbBDqQu0+xbdP4hVO9OuXSO66iMDqpyeOqUhrbcNHtSRk8rotSSFAhPHN+lA/KqZAeWXPcG6QhdbyfwnCxMVJo/ruafNXj5bPTwJgnTc3jRZEjBCsNGN7g; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 17570 invoked from network); 24 Mar 2012 19:28:52 +0100 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.76?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 24 Mar 2012 19:28:52 +0100 Message-ID: <4F6E1263.7010005@gondrom.org> Date: Sat, 24 Mar 2012 18:28:51 +0000 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120310 Thunderbird/11.0 MIME-Version: 1.0 To: websec@ietf.org References: <4F66623F.9000300@gondrom.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 18:28:55 -0000 On 21/03/12 14:44, Paul Hoffman wrote: > On Mar 21, 2012, at 1:56 AM, Yoav Nir wrote: > >> I have said this before, and was rejected by the group, so I'll raise this one last time here. >> Section 8.3 makes it a MUST-level requirement that any failure of the underlying secure transport. Section 11.1 clarifies that there should be no user recourse for this. This makes the cost of implementing unreasonably high, and significantly discourages trial roll-outs. Adding an HSTS header to your web site takes about 2 lines of configuration file in Apache. But doing so makes small errors like letting the certificate lapse or using links with a different FQDN cause hard failures. Both these sections do now state specifically what constitutes a failure, so it might be that the intention was not to include expirations. I think this should be clarified, but mismatched names obviously apply. >> I suggest that either we remove the no user recourse advice, or else add a "hardfail" directive. Roll out with "hardfail=no", and if people don't complain, change to "hardfail=yes" > I support this idea. As we have seen with the rollout of DNSSEC, hardfails turn into bad publicity, which then turn into delayed deployment. The browser industry experiments with different ways to alert the user or hardfail, and the addition of this option would aid those experiments. Agree. Personally I'm not a fan of the temporary migration switch "hardfail=no" solution, but I can see the benefit for the transition. Still it would be important that servers switch to "hardfail=yes" at some point.... E.g. the document should state that a server SHOULD set the directive to "hardfail=yes" and only for testing and migration periods MAY use "hardfail=yes". >> Section 10.3 discusses the case where the server or some subdomain also hosts CRLs or OCSP and suggests some work-around to the "all TCP" port requirement. Fetching CRLs is a different context than rendering a web page. I think the suggestions should be removed and a sentence added that says that the STS policy does not apply to fetching of revocation information by the browser. I think this would be far easier to implement. > This is a very good idea and will lead to fewer surprises. There is no need to SSL-protect CRL fetches. In fact, requiring SSL-protection on CRL fetches is impossible, since you need the CRL in order to get the CRL. Absolutely correct indeed. And also CRL are integrity protected by their signature. > > --Paul Hoffman > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec From Jeff.Hodges@KingsMountain.com Sun Mar 25 21:22:39 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5548721E805A for ; Sun, 25 Mar 2012 21:22:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.495 X-Spam-Level: X-Spam-Status: No, score=-100.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7hvO5shgApv for ; Sun, 25 Mar 2012 21:22:38 -0700 (PDT) Received: from oproxy9.bluehost.com (oproxy9.bluehost.com [IPv6:2605:dc00:100:2::a2]) by ietfa.amsl.com (Postfix) with SMTP id 7C8B821E8034 for ; Sun, 25 Mar 2012 21:22:35 -0700 (PDT) Received: (qmail 13148 invoked by uid 0); 26 Mar 2012 04:22:35 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy9.bluehost.com with SMTP; 26 Mar 2012 04:22:35 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=q3QRp3dqOgFqLEBgdEzczeX4GvuSQm2JKFnX4Yfv7EM=; b=Toh0BHIgpIIlE14bH3Abl+IA32GUfbMNsv1xIDvfCfTTNrI332kfku+qISLNMZVIL10DofoqqeIjQkeUJTqDQhPxNo7UHeOLgzFKA3HQV3fUTDL+nij2Ybn47McGtXu2; Received: from dhcp-43b9.meeting.ietf.org ([130.129.67.185]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1SC1Rw-0006zu-F8 for websec@ietf.org; Sun, 25 Mar 2012 22:22:33 -0600 Message-ID: <4F6FEF04.7050800@KingsMountain.com> Date: Sun, 25 Mar 2012 21:22:28 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.67.185 authed with jeff.hodges+kingsmountain.com} Subject: [websec] new rev: draft-ietf-websec-strict-transport-sec-06 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 04:22:39 -0000 [ this msg is a tad late, -06 was pub'd on 12-Mar, apologies. Sending it for the record. ] New rev: https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-06 This rev addresses issue ticket #38 (Tobias' editorial comments from: https://www.ietf.org/mail-archive/web/websec/current/msg01076.html ) full issue ticket list for strict-transport-sec: Redline spec diff from previous rev: https://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-websec-strict-transport-sec-06.txt =JeffH ============================================================== Appendix D. Change Log [RFCEditor: please remove this section upon publication as an RFC.] Changes are grouped by spec revision listed in reverse issuance order. D.1. For draft-ietf-websec-strict-transport-sec Changes from -05 to -06: 1. Addressed various editorial comments provided by Tobias G. This addresses issue ticket #38. Changes from -04 to -05: . . . . --- end From Jeff.Hodges@KingsMountain.com Sun Mar 25 23:38:55 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2491521E8083 for ; Sun, 25 Mar 2012 23:38:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.751 X-Spam-Level: X-Spam-Status: No, score=-99.751 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_05=-1.11, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JmN+z+rUsAB1 for ; Sun, 25 Mar 2012 23:38:54 -0700 (PDT) Received: from oproxy3-pub.bluehost.com (oproxy3.bluehost.com [IPv6:2605:dc00:100:2::a3]) by ietfa.amsl.com (Postfix) with SMTP id 2739D21F8478 for ; Sun, 25 Mar 2012 23:38:54 -0700 (PDT) Received: (qmail 1844 invoked by uid 0); 26 Mar 2012 06:38:53 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy3.bluehost.com with SMTP; 26 Mar 2012 06:38:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=xeNangr3eGEf2Sct/kGYVwr4nFXlsPT/XguO7cP3/H4=; b=W7gNfb0DXA+Uo5w33EQdqMcnyZb3hzNzpX8gh7fprY34uH2J182O1Knmlc7e+wiQzCZH2Q72dzYv3Ps9mb+SiwMrTXxEPMk02RdSrPufQ3oLyvrU9v4TEdfVTuSJjXNa; Received: from dhcp-43b9.meeting.ietf.org ([130.129.67.185]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1SC3Zs-0004JA-PD for websec@ietf.org; Mon, 26 Mar 2012 00:38:53 -0600 Message-ID: <4F700EF9.5010703@KingsMountain.com> Date: Sun, 25 Mar 2012 23:38:49 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.67.185 authed with jeff.hodges+kingsmountain.com} Subject: Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 06:38:55 -0000 >> >> sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and >> >> includeSubDomains directives, and neither of those directives employ >> >> quoted-string, and I don't think they need to or should. >> > >> > I think they should, because it's likely that people will write parses >> > that allow both, thus you'll have an automated (and totally unneeded) >> > interoperatility problem. >> >> Well, i'm not terribly convinced about this, especially given my code >> reconnaissance in Firefox and Chrome. > > When you checked Firefox, did it support quoted-string for extension > directives? See? I am not sure what you mean by "See?" -- the parsers for STS header in both firefox and chrome are one-off hand-coded specific parsers, for better or worse (I'm not sure why they were done that way), and neither one supports quoted-string for anything in the STS header IIRC. That said, given the present definitions of the STS directives... max-age = "max-age" "=" delta-seconds delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2> includeSubDomains = "includeSubDomains" I'm not sure how to cleanly and unambiguously define them in terms of both token and quoted-string (and retain max-age's basis on delta-seconds). Perhaps you could propose how to do this? Also, we need to consciously realize that even if we define it in this fancier way in the spec, the present HSTS implementations won't match this, and may never do so. i.e. yes, you can submit bugs and wait and see what happens. =JeffH ps... >> > I think they should, because it's likely that people will write parses >> > that allow both, I think "likely" should in reality be "may" in the above. There's a ton of parsers already written (firefox alone has several different ones apparently from what I can discern) that don't follow the (relatively recent) "parse parameter values in both token and quoted string forms" mantra. And so you're hoping both that existing parsers get updated to follow the general guidelines in "3.1 Considerations for Creating Header Fields" , and that new ones also adhere to said considerations. From stpeter@stpeter.im Sun Mar 25 23:39:21 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA6421F8474 for ; Sun, 25 Mar 2012 23:39:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0a-j2PfP8VMW for ; Sun, 25 Mar 2012 23:39:20 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 9BDA221F8470 for ; Sun, 25 Mar 2012 23:39:20 -0700 (PDT) Received: from dhcp-1422.meeting.ietf.org (unknown [130.129.20.34]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 0C4EA4005B; Mon, 26 Mar 2012 00:52:18 -0600 (MDT) Message-ID: <4F700F15.3090508@stpeter.im> Date: Mon, 26 Mar 2012 08:39:17 +0200 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:11.0) Gecko/20120313 Thunderbird/11.0 MIME-Version: 1.0 To: =JeffH References: <4F6FEF04.7050800@KingsMountain.com> In-Reply-To: <4F6FEF04.7050800@KingsMountain.com> X-Enigmail-Version: 1.4 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: IETF WebSec WG Subject: Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-06 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 06:39:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 3/26/12 6:22 AM, =JeffH wrote: > [ this msg is a tad late, -06 was pub'd on 12-Mar, apologies. > Sending it for the record. ] Hi Jeff, thanks for addressing my earlier comments. I found time to read -06 on the flight to Paris. Here are some small comments. Section 1: This specification also incorporates notions from [JacksonBarth2008] in that policy is applied on an "entire-host" basis: it applies to all TCP ports of the issuing host. Please make it clear that all TCP ports does not mean all application protocols, only HTTP on all ports where it might be offered (not only the ports registered with the IANA). Section 7.2 Does is make sense to mention that status code 308 might be appropriate in certain circumstances? See draft-reschke-http-status-308. Section 8.4 The HTTP-Equiv Element Attribute is defined in the HTML specification, so a reference would be helpful. Section 9 The phrase "valid Unicode-encoded string-serialized domain name" seems a bit strange, because we don't typically refer to Unicode as an encoding scheme. See RFC 6365 regarding such terminology. Section 11.1 I think the text about "no user recourse" conflates two things: showing a warning, and allowing the user to click through: "the user should not be presented with an explanatory dialog giving her the option to proceed." Would it be OK for a user agent to show an explanatory dialog but not provide an option to proceed? Is there a security reason to fail the connection without any explanation? Section 11.5 The note it worded a bit oddly (e.g., "it shouldn't be possible for an attacker to inject script..." might be better worded along the lines of "implementations need to guard against alowing an attacker to inject script..."). Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wDxUACgkQNL8k5A2w/vwzMwCg0eK+344UU3yBAuKuZS6G/YwQ M48AoLfpwOK//yp/LbKWBS2Mn0D1++F4 =VgD6 -----END PGP SIGNATURE----- From trac+websec@trac.tools.ietf.org Sun Mar 25 23:56:03 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAF5121F84A6 for ; Sun, 25 Mar 2012 23:56:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tXgo4BdiYwmi for ; Sun, 25 Mar 2012 23:56:03 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 30E0C21F848F for ; Sun, 25 Mar 2012 23:56:02 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1SC3pj-0003WO-Jq; Mon, 26 Mar 2012 02:55:15 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, julian.reschke@gmx.de X-Trac-Project: websec Date: Mon, 26 Mar 2012 06:55:14 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/33#comment:5 Message-ID: <085.9c1d179a1480f6c959bb20e0ce79b553@trac.tools.ietf.org> References: <070.dc46fc06c043a8103369b4b2f8b4d471@trac.tools.ietf.org> X-Trac-Ticket-ID: 33 In-Reply-To: <070.dc46fc06c043a8103369b4b2f8b4d471@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, julian.reschke@gmx.de, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120326065603.30E0C21F848F@ietfa.amsl.com> Resent-Date: Sun, 25 Mar 2012 23:56:02 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #33: HSTS: quoted-string grammar in (extension) directives ? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 06:56:03 -0000 #33: HSTS: quoted-string grammar in (extension) directives ? Changes (by jeff.hodges@…): * status: closed => reopened * resolution: fixed => Comment: Need to re-fix STS grammar that appears in -06 (see entire thread rooted here)... https://www.ietf.org/mail-archive/web/websec/current/msg01096.html Also, the quoted-string debate continues... https://www.ietf.org/mail-archive/web/websec/current/msg01107.html -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: reopened Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Mon Mar 26 00:03:00 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D53021F8467 for ; Mon, 26 Mar 2012 00:03:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRrYR7ay5nYg for ; Mon, 26 Mar 2012 00:02:59 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id B210721F842A for ; Mon, 26 Mar 2012 00:02:59 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1SC3x1-0003UB-6Y; Mon, 26 Mar 2012 03:02:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Mon, 26 Mar 2012 07:02:47 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/39 Message-ID: <070.8c5375186013134e689ba7b15f8ec943@trac.tools.ietf.org> X-Trac-Ticket-ID: 39 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120326070259.B210721F842A@ietfa.amsl.com> Resent-Date: Mon, 26 Mar 2012 00:02:59 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: [websec] #39: appropriately acknowlege and accommodate DANE X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 07:03:00 -0000 #39: appropriately acknowlege and accommodate DANE see.. Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9 (paul hoffman) https://www.ietf.org/mail-archive/web/websec/current/msg01092.html This document pretends that the TLSA protocol from the DANE WG will not exist. This is a tad odd, given that TLSA is likely to be published a few weeks before HSTS. In specific, bullet 2 of section 2.2 and all of section 10.2 are written as if self-signed certificates will always cause HTST- compliant browsers to fail, even if those certificates cause matching when used with TLSA. Proposed replacements: 2. The UA terminates any secure transport connection attempts upon any and all secure transport errors or warnings, including those caused by a web application presenting a certificate that does chain to a trusted root or match a trusted certificate association from the TLSA protocol [I-D.draft-ietf-dane-protocol]. . . . If a web site/organization/enterprise is generating their own secure transport public-key certificates for web sites, and that organization's root certification authority (CA) certificate is not typically embedded by default in browser CA certificate stores, and if HSTS Policy is enabled on a site identifying itself using a self- signed certificate, and the certificate presented by the TLS server does not match a trusted certificate association from the TLSA protocol [I-D.draft-ietf-dane-protocol], then secure connections to that site will fail, per the HSTS design. This is to protect against various active attacks, as discussed above. However, if said organization strongly wishes to employ self-signed certificates, and their own CA in concert with HSTS, they can do so by deploying their root CA certificate to their users' browsers. They can also, in addition or instead, distribute to their users' browsers the end-entity certificate(s) for specific hosts. There are various ways in which this can be accomplished (details are out of scope for this specification). Once their root CA certificate is installed in the browsers, they may employ HSTS Policy on their site(s). Alternately, that organization can deploy the TLSA protocol; all browsers that also use TLSA will then be able to trust the self-signed certificates if it announced through TLSA. Note: Interactively distributing root CA certificates to users, e.g., via email, and having the users install them, is arguably training the users to be susceptible to a possible form of phishing attack, see Section 14.6 "Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack". -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict-transport- jeff.hodges@… | sec@… Type: defect | Status: new Priority: major | Milestone: Component: strict- | Version: transport-sec | Keywords: Severity: In WG Last | Call | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Mon Mar 26 00:15:50 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF36021F8460 for ; Mon, 26 Mar 2012 00:15:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWP+OA37O4xM for ; Mon, 26 Mar 2012 00:15:48 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 6FDD921F845D for ; Mon, 26 Mar 2012 00:15:47 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1SC49F-0006fZ-7p; Mon, 26 Mar 2012 03:15:25 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Mon, 26 Mar 2012 07:15:25 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/40 Message-ID: <070.2b15f3c9acfbd2014856105820738ee9@trac.tools.ietf.org> X-Trac-Ticket-ID: 40 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120326071548.6FDD921F845D@ietfa.amsl.com> Resent-Date: Mon, 26 Mar 2012 00:15:47 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: [websec] #40: Various editorial comments on -06 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 07:15:51 -0000 #40: Various editorial comments on -06 https://www.ietf.org/mail-archive/web/websec/current/msg01092.html - paul hoffman Editorial: "annunciate" (used a few times) is a fancy word for "announce". Maybe use the far more common word instead. In section 3.1, "suboptimal downside" is unclear. Is there an optimal downside? I suggest replacing it with "negative". The lead sentences in sections 11.2, 11.4, and 11.5 lack verbs; verbs are used in 11.1 and 11.3. This should be an easy fix. https://www.ietf.org/mail-archive/web/websec/current/msg01093.html - yoav nir Editorial: In the introduction 2nd paragraph it says "(although modulo other rules)". s/modulo/subject to/. Also, replace "annunciate" with "announce" or "indicate". Both the introduction and section 8.2 say the policy applies to "all TCP ports". Hosts have multiple TCP ports: for SSH as an example. I suggest we change to "all HTTP(S) ports" In the title of section 8.5, I think we can do without the word "Interstitially". Section 10.1 begins with "Server implementations and deploying web sites need to consider whether they are setting…". Searching for the alternative (because an implied "or not" doesn't work for this sentence) took me to the 4th paragraph of this section, and the top of page 21, which begins with "Or, whether they are setting". This won't make it past the RFC editor, but I think it should be rephrased earlier. Section 14.1 discusses a UA behind an SSL proxy and implies that such a connection will cause warning screens (without HSTS) or hard failures. Such a deployment would be considered a wrong deployment of an SSL proxy. Administrators usually configure the UAs that are managed, and give detailed instructions to the owners of UAs that are not managed, so that the CA used by the proxy is trusted. There should be no warnings and no hard failures. https://www.ietf.org/mail-archive/web/websec/current/msg01108.html StPeter Section 1: This specification also incorporates notions from [JacksonBarth2008] in that policy is applied on an "entire-host" basis: it applies to all TCP ports of the issuing host. Please make it clear that all TCP ports does not mean all application protocols, only HTTP on all ports where it might be offered (not only the ports registered with the IANA). Section 7.2 Does is make sense to mention that status code 308 might be appropriate in certain circumstances? See draft-reschke-http-status-308. Section 8.4 The HTTP-Equiv Element Attribute is defined in the HTML specification, so a reference would be helpful. Section 9 The phrase "valid Unicode-encoded string-serialized domain name" seems a bit strange, because we don't typically refer to Unicode as an encoding scheme. See RFC 6365 regarding such terminology. Section 11.1 I think the text about "no user recourse" conflates two things: showing a warning, and allowing the user to click through: "the user should not be presented with an explanatory dialog giving her the option to proceed." Would it be OK for a user agent to show an explanatory dialog but not provide an option to proceed? Is there a security reason to fail the connection without any explanation? Section 11.5 The note it worded a bit oddly (e.g., "it shouldn't be possible for an attacker to inject script..." might be better worded along the lines of "implementations need to guard against alowing an attacker to inject script..."). -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict-transport- jeff.hodges@… | sec@… Type: defect | Status: new Priority: minor | Milestone: Component: strict- | Version: transport-sec | Keywords: Severity: In WG Last | Call | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Mon Mar 26 00:20:30 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D4E821F846E for ; Mon, 26 Mar 2012 00:20:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k+8caDxZ8N5Q for ; Mon, 26 Mar 2012 00:20:27 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 5FBD521F8493 for ; Mon, 26 Mar 2012 00:20:27 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1SC4E3-0006yn-WF; Mon, 26 Mar 2012 03:20:24 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Mon, 26 Mar 2012 07:20:23 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/41 Message-ID: <070.d03fad09be18f8768e0c0b6b191f9c78@trac.tools.ietf.org> X-Trac-Ticket-ID: 41 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120326072027.5FBD521F8493@ietfa.amsl.com> Resent-Date: Mon, 26 Mar 2012 00:20:27 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: [websec] #41: add parameter indicating whether to hardfail or not X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 07:20:30 -0000 #41: add parameter indicating whether to hardfail or not https://www.ietf.org/mail-archive/web/websec/current/msg01093.html - yoav nir The significant: I have said this before, and was rejected by the group, so I'll raise this one last time here. Section 8.3 makes it a MUST-level requirement that any failure of the underlying secure transport. Section 11.1 clarifies that there should be no user recourse for this. This makes the cost of implementing unreasonably high, and significantly discourages trial roll-outs. Adding an HSTS header to your web site takes about 2 lines of configuration file in Apache. But doing so makes small errors like letting the certificate lapse or using links with a different FQDN cause hard failures. Both these sections do now state specifically what constitutes a failure, so it might be that the intention was not to include expirations. I think this should be clarified, but mismatched names obviously apply. I suggest that either we remove the no user recourse advice, or else add a "hardfail" directive. Roll out with "hardfail=no", and if people don't complain, change to "hardfail=yes" -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict-transport- jeff.hodges@… | sec@… Type: enhancement | Status: new Priority: major | Milestone: Component: strict- | Version: transport-sec | Keywords: Severity: In WG Last | Call | -------------------------+------------------------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Mon Mar 26 00:22:17 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F91021F8467 for ; Mon, 26 Mar 2012 00:22:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnzGwaqE-TPJ for ; Mon, 26 Mar 2012 00:22:16 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 61F3921F8472 for ; Mon, 26 Mar 2012 00:22:16 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1SC4Fj-0002uY-HG; Mon, 26 Mar 2012 03:22:07 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Mon, 26 Mar 2012 07:22:07 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/42 Message-ID: <070.4815d0321df1c7e00f76c8e99a03ba9d@trac.tools.ietf.org> X-Trac-Ticket-ID: 42 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120326072216.61F3921F8472@ietfa.amsl.com> Resent-Date: Mon, 26 Mar 2012 00:22:16 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: [websec] #42: STS exception for CRL fetching X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 07:22:17 -0000 #42: STS exception for CRL fetching https://www.ietf.org/mail-archive/web/websec/current/msg01093.html - yoav nir Section 10.3 discusses the case where the server or some subdomain also hosts CRLs or OCSP and suggests some work-around to the "all TCP" port requirement. Fetching CRLs is a different context than rendering a web page. I think the suggestions should be removed and a sentence added that says that the STS policy does not apply to fetching of revocation information by the browser. I think this would be far easier to implement. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict-transport- jeff.hodges@… | sec@… Type: enhancement | Status: new Priority: major | Milestone: Component: strict- | Version: transport-sec | Keywords: Severity: In WG Last | Call | -------------------------+------------------------------------------------- Ticket URL: websec From julian.reschke@gmx.de Mon Mar 26 00:38:58 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CCB521F84F7 for ; Mon, 26 Mar 2012 00:38:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.219 X-Spam-Level: X-Spam-Status: No, score=-104.219 tagged_above=-999 required=5 tests=[AWL=-1.620, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4qA5v-3lodSf for ; Mon, 26 Mar 2012 00:38:57 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 3015421F84FF for ; Mon, 26 Mar 2012 00:38:56 -0700 (PDT) Received: (qmail invoked by alias); 26 Mar 2012 07:38:54 -0000 Received: from mail.greenbytes.de (EHLO [IPv6:::1]) [217.91.35.233] by mail.gmx.net (mp012) with SMTP; 26 Mar 2012 09:38:54 +0200 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX190uqQmxfp0VnnpGghCG8cgvvyD+dAb+lzgCm4S7S zenq2GsmAVcspA Message-ID: <4F701D02.1000104@gmx.de> Date: Mon, 26 Mar 2012 09:38:42 +0200 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120312 Thunderbird/11.0 MIME-Version: 1.0 To: =JeffH References: <4F700EF9.5010703@KingsMountain.com> In-Reply-To: <4F700EF9.5010703@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: IETF WebSec WG Subject: Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 07:38:58 -0000 On 2012-03-26 08:38, =JeffH wrote: > >> >> sections 6.1.1 and 6.1.2 describe the syntax particular to > max-age and > >> >> includeSubDomains directives, and neither of those directives employ > >> >> quoted-string, and I don't think they need to or should. > >> > > >> > I think they should, because it's likely that people will write > parses > >> > that allow both, thus you'll have an automated (and totally unneeded) > >> > interoperatility problem. > >> > >> Well, i'm not terribly convinced about this, especially given my code > >> reconnaissance in Firefox and Chrome. > > > > When you checked Firefox, did it support quoted-string for extension > > directives? See? > > I am not sure what you mean by "See?" -- the parsers for STS header in > both firefox and chrome are one-off hand-coded specific parsers, for > better or worse (I'm not sure why they were done that way), and neither > one supports quoted-string for anything in the STS header IIRC. Yes (but I have inspected only the FF code). The reason I asked "See?" is that you can't use the fact that FF doesn't support q-s for the builtin parameters as argument against q-s. Right now it's not using q-s at all; thus, it's currently not conforming to the spec as written anyway and will have to be fixed. If it was fixed to be conforming to the current spec, I would suspect there's a good chance it would start q-s everywhere, instead of special-casing based on the parameter name. > That said, given the present definitions of the STS directives... > > max-age = "max-age" "=" delta-seconds > > delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2> > > includeSubDomains = "includeSubDomains" > > > I'm not sure how to cleanly and unambiguously define them in terms of > both token and quoted-string (and retain max-age's basis on > delta-seconds). Perhaps you could propose how to do this? Just define the base grammar for the overall parsing; such as "Expect" in httpbis: http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.10.3 or the "Prefer" I-D: http://greenbytes.de/tech/webdav/draft-snell-http-prefer-12.html#rfc.section.2 You can still use ABNF to put additional restrictions on the value, but these constraints then should apply to the parameter value after q-s unescaping. Note that I have a TODO to apply this change to Cache-Control in HTTPbis P6 and haven't done that yet. The problem here is that implementations of Cache-Control in browsers are incredibly broken (see?), so it's not clear how much cleanup is possible at this point. Let's not repeat these mistakes with entirely new header fields. > Also, we need to consciously realize that even if we define it in this > fancier way in the spec, the present HSTS implementations won't match > this, and may never do so. i.e. yes, you can submit bugs and wait and > see what happens. > ... Well, these implementations are non-conforming right now. The interesting question is whether it's harder to change them to use q-s in *some* parameters or to do so in *all* parameters. The former requires that parser to special-case certain parameter names. > =JeffH > > ps... > > >> > I think they should, because it's likely that people will write > parses > >> > that allow both, > > I think "likely" should in reality be "may" in the above. There's a ton > of parsers already written (firefox alone has several different ones > apparently from what I can discern) that don't follow the (relatively > recent) "parse parameter values in both token and quoted string forms" > mantra. There are tons of broken parsers, yes. Some of them in the process of being fixed. For instance, FF now processes q-s in Content-Type and Content-Disposition, and Chrome recently started to do q-s in Content-Disposition. > And so you're hoping both that existing parsers get updated to follow > the general guidelines in "3.1 Considerations for Creating Header > Fields" > , > and that new ones also adhere to said considerations. I hope that new definitions follow the advice, and that implementations of parsers for existing fields actually conform to what the specification says (see examples about Content-Type and Content-Disposition above). Best regards, Julian From trac+websec@trac.tools.ietf.org Mon Mar 26 00:44:55 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83D3D21F8567 for ; Mon, 26 Mar 2012 00:44:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rBPMPGs8xUsR for ; Mon, 26 Mar 2012 00:44:54 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id 90C0621F856D for ; Mon, 26 Mar 2012 00:44:53 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1SC4bO-00020C-2c; Mon, 26 Mar 2012 03:44:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Mon, 26 Mar 2012 07:44:30 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/38#comment:1 Message-ID: <085.28575edb6d6d6b1c86e23d48b47e71c5@trac.tools.ietf.org> References: <070.74b1282a899aeaed61981d3bd1eb69ce@trac.tools.ietf.org> X-Trac-Ticket-ID: 38 In-Reply-To: <070.74b1282a899aeaed61981d3bd1eb69ce@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120326074454.90C0621F856D@ietfa.amsl.com> Resent-Date: Mon, 26 Mar 2012 00:44:53 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #38: HSTS : Editorial Comments X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 07:44:55 -0000 #38: HSTS : Editorial Comments Changes (by jeff.hodges@…): * status: new => closed * resolution: => fixed -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: defect | Status: closed Priority: minor | Milestone: Component: strict- | Version: transport-sec | Resolution: fixed Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From Jeff.Hodges@KingsMountain.com Mon Mar 26 00:54:05 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E29A821F8510 for ; Mon, 26 Mar 2012 00:54:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.54 X-Spam-Level: X-Spam-Status: No, score=-98.54 tagged_above=-999 required=5 tests=[AWL=-1.459, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, TVD_PDF_FINGER01=1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcPLUW9AiQyC for ; Mon, 26 Mar 2012 00:54:04 -0700 (PDT) Received: from oproxy6-pub.bluehost.com (oproxy6.bluehost.com [IPv6:2605:dc00:100:2::a6]) by ietfa.amsl.com (Postfix) with SMTP id E501021F84E7 for ; Mon, 26 Mar 2012 00:54:03 -0700 (PDT) Received: (qmail 29780 invoked by uid 0); 26 Mar 2012 07:54:03 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 26 Mar 2012 07:54:03 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=wI2BQWedgKZ9/yepF1lKO8k3lCDfoOOd9v5LDX4Fl44=; b=V+lULJPGm4tPBO3O4qTCXX7FKvWeTaB/iCgX64yrugJ+DLczbmCTNaVy+TYoDkOiTBHtLnBAPvwQ41TGa3zbfnXfFS5ly6NTQvaCaN+zHK+RsNZnMdCLjh+hqqf8XuOu; Received: from dhcp-43b9.meeting.ietf.org ([130.129.67.185]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1SC4kX-0008SI-8r; Mon, 26 Mar 2012 01:54:03 -0600 Message-ID: <4F702091.5050308@KingsMountain.com> Date: Mon, 26 Mar 2012 00:53:53 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20 MIME-Version: 1.0 To: IETF WebSec WG , Tobias Gondrom , Alexey Melnkov Content-Type: multipart/mixed; boundary="------------070008030908090401070902" X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.67.185 authed with jeff.hodges+kingsmountain.com} Subject: [websec] strict-transport-sec slides for WebSec session today X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 07:54:05 -0000 This is a multi-part message in MIME format. --------------070008030908090401070902 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit --------------070008030908090401070902 Content-Type: application/pdf; name="hodges-ietf-83-websec-HSTS-Status.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="hodges-ietf-83-websec-HSTS-Status.pdf" JVBERi0xLjQKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0 ZURlY29kZT4+CnN0cmVhbQp4nJWRS0sDQRCE7/Mr+hzI2D3vhWUgm8fBW2DBg3gzUSQK5uLf t6bXCGr2IAtL01P1Ud3NVujDvBPTkq2j3HmbKHYR9flg7hb0ZoTad34y3B7o1TRR1vpEU63e 0wXSiun12RwXCm8fCMNofAd9aLLxkW52QAcajz1LHV/MdjT7P/po438MwsUW8plhU4cjn+C4 h4Ud+7qUnkN1PUdOnLloI7ZGQKOrvufCK+0OqNZoDtA6aNfqQd3UE2mDx61WO0iiimGqD+Pt tXSuOCzYlWL9JZ0rmk4YvlAltXTgicwxvI+42k8GTwynTiRL4NVlwChVx5U8DS1g4x/n2FgB 7nM1nyg7VB1VJCHuMBsxJABczAj6C5MVU1qWTlZt20kjDTK7NB+8DeR8sN2FJl+0DXtcI/Y4 ziDbljH2smp35k3FKtetgSV8k/f0CYJHoRkKZW5kc3RyZWFtCmVuZG9iagoKMyAwIG9iagoz MzMKZW5kb2JqCgo1IDAgb2JqCjw8L0xlbmd0aCA2IDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGU+ PgpzdHJlYW0KeJylVU2L2zAQvftX6LwQdz4kWQYjiJP40NtCoIfSW3dbyrbQvfTvd2Ykb9xm k3VaDMpInpHfm/ekQIvuV/PTgdtAS67ruY0u9EHi54fmw5370aDT5/lLA/rCfW80qbP4yZXY ap/mTTQob782j3e2uT6yw3hsuJd8r2nHz+7dJFt7d3wcAPPxW3M4Nvdn+aENtxT0SfIDxNaX AnJeCz4OuM8bHICyDBPGEiQYbdVGRJxs1sEedhYlWevyhgZMltHjFiKOBFnTMyZZyghpAJaq g+zX5U/H968B80k4eGaBZ8BYmLTXuXTaXE9RxsqFybhAJFRURIhwsIh1hK3FXlCwkZJJsBfJ RmEDk0V7I4UEFG0eEey3bLOXD9i8fsZaICsXqCUSapxiyy/USHx0jRpCJ6w4wVxDjpJxo5QV qTxUkMOoTFg50FBCab2oQR1BiSBUbQsFGXaaRr1UU2G6SOtU+VNCWRwl5ZpyDP0sw1rlGKjt Lym3/V/lkMYaCRU/K0e5yLoU7w3hKNLCk+uEoxDnmn8RDlboUdMvIOeQ2vQXjNJh2uf5mCcd vG7lZSvQ5kpEhxy06/LOBBDpD/Kh4JWBopsELgNu7YwzVlPh3PoooQq1mDJd9Q6mIGBv8g52 l5zD/Jpz2ANWo8vSn06pp3eFU1Ycc+S0OAfr3IJMpyvM3KI4L1SgXvjnFbddDG/665qz6AzA 0ln1PGb7nwi11VSmXA6xCFQ6Pak3imp4qrVtQrHlG86JSRt8i3EizlZ7cQ4HNXQs/eGKstwx EGQlzbgVeaYTTEuoM5LOVYfN9pqthWWrSLvZWqe/j3NP3bvfUz7MoAplbmRzdHJlYW0KZW5k b2JqCgo2IDAgb2JqCjYyNQplbmRvYmoKCjggMCBvYmoKPDwvTGVuZ3RoIDkgMCBSL0ZpbHRl ci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nJVVwW7bMAy9+yt0HlCPIiVLBgwDTWwfdisQYIdh t60bhm7Aetnvj6IoW00at0EAhbYk8vHxkYbWmn/NXwPmDlo0oae2M773bD9/bz5/MH8aa9Lv +UcDacP8btKhIPaTybbcfSpOkpF3fzaPH8R5+rGHw6mhns+7dOz0zXxc2LUzp8cB7Hj61cyn 5uHivG/9LRewiy0ZD13r8g00Lt34MlAP82gHiDBZO9o42H4kP0AY73CA43hnB+x518Nh/Hr6 9JpzFxmHI2JI4psYTbuPJySCHHa8KhzCDOc+xbXHvNKBMV2Jap3nMr3wgdkHTikhlKwkiyWZ s5gxmdO2xSkPhNdioMcrOK21TjAuzJf8J6wkuJE0alo9c2fF6phBeTPyghAYRrrYsatONhDk IvHxoCsQoLXp7HUihEsuYxvPMOKUk8R57ASIRJkURlCAgoIpYChWkQaGEuGo+ANNIxW+5C4n Ou+KgVy4VQzEat4TA3ZvieGKj0yBSymQ0hzA0cIvOGGPXl4SeH46VOWbNWNUUpZSG1cclQqy FKzsshTsoKYFVwXNFV4JXl6yuV9ZcBeVzYGLwqR0BbWqWnPKcbheqiaWAiUlkkpOt9WTYygF lfq7z/627EOVPXELsLvDZTO8Iy/s+vNSVe6zZrvC3gqUNs0Ch6WJcRzXLKdSszUNvrAnVERf FPNeoaKN7QXyWqiHJFSoyzGziJbqmRW4yVFrhKskqUxeTJO3rnTPnKBbJ9cOM+/g30Y6V1UV mUmtSq6VWVQML4Bz7QHFIrBxl23L37l4G9uWzlFmrhFlDRXXtohCWS7dToo+1qhBB16oGRMt leTSzC1dK8T7rWPWsRFlPHtY3iC7D/ytOpvOvkY5rhhc6S/UdsyspzjT2vF7LHu6lWT3+uBV jiFx/NqAi3maHJWJeSVOPyxpBm7oOZU8i53kSdwCQcbkWpijUrJ+Gbc0H8x/+KgLBAplbmRz dHJlYW0KZW5kb2JqCgo5IDAgb2JqCjcyOAplbmRvYmoKCjExIDAgb2JqCjw8L0xlbmd0aCAx MiAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEgMTk1Nj4+CnN0cmVhbQp4nOVUy28b RRj/ZtdrO83LTkxI2UBnuwlK67XzqqCgVDUmJE2MlMghYbdYKhtn85IdW44TNYgoVQWiLOIh xAEhJJqmlwoVjV0OPfbQAwciJFQFCYHggNQLuURCQogkfLPeJlGV/4BRPPP7/eZ7zDeZ/YqF RQtq4AqIEEtnzXyIEMDxPQBpSC8VqVT1ajXi31F7cSo/nX3QXn4IILTgz5rOLE/dJLmTAJ53 cP/bGcuc/Gn7qgYgnUX+3AwKV3de9yHPI2+dyRYvq+SCH/lnyP2ZXNrU4CJC6UucvFnzcn5W bMEDSDeR03kzaxWf97+N/D6e4eN8bqEYgrk9AN9rfD9fsPLN4e3byIvIo/gj4BwfKwLidfj/ fOxO7j0UN6Xz0i34FN6H2zAA6/AJ5GAOknAJOuAMRKAL3oA2eAr6IA4UViEGt6QgAAONQWOC nR7R2dCSwUA938y8Yf2c4WgrBn3ASGO0OcKIRn9mNeEIE7REUn9FNZQIE7XZZspiI7rCYkaE eTTuqqjKW/qv8oYho52+I28ZsqowKayz/iXD2TAMjCdptamLEebVSifJNcxOr6VSMgMM49NK rY4U25f8WkOQvtARYVUaXeFJ7mMYysS2QZUyz7NDDEZ027JNysFZWVEM2XZYssJ4wmOV0wXk gIIRqzX6o1NOjUY7mC+c0ikdUPvNOarTyYlKCG5XyzNjamrTAbvfVG1qq046lQdnMbTE+rjA YhYn6FPnZDq32awoMt208RrQaRBPM+aeTXHM6jWVbrrJVaonRmWFEUO3saBB1VapPWirJneo uPAlwgL839CA5w7yAjhoeKwAmy+qOffm4Uq4a6OGRdjv8WsbmlRtH6Mjeq98D3dC2h2IkVg8 ThJ3A5AGZ+bGYzqfk7o6gadX4zIuRI3jzceSehnf0cvpeJlQggujaXbcanmU6wmNoYr3glOE P1IBXx4Ik9IYdiEfREsEOnrLPk/TVnfJK/3SWxYFhFASuSxxuezztvzbWyZc7wkqwTYlqPQJ dLeVfL47I43983WfZwP41/8b9o5Vz3WoxvddRh5m0sajlbCaDiZusqoN/CvVkjB0dikUAqDQ J5sCPq8Y2d3evUdipI7Urt+4sU7iQguJr63t/LG2VukswtTU1t9tX1yq7/0LTvid7+27H+In Dn9/0ipWhb0Oa6wM9PON76weMnm8RwnCn9DnTfGzQ6U9Ormwp1ViCMgFaOKyaLg+dfDNfpz6 /ZgEjiEjrpcPjrtYRJ262IP4tIslqMV+UMFe1F9CS+KpQvYMJFxMIASzLhYw74qLRdQ/cLEH 8VculrCv3HGxF/WN9vQp2t3Z1UmHC2Y6Yw3nrfnR5exELpO0phczZuFAOEDjVmFhNjdPu6Nn oj0HMrTjezyFpXRDJzaxTkTDUAAT1QxYiPM4z8MoLEMWJrDpZbDpWTANi4hMtDzK4ihtHJUC LGDhOdzh+aJ4UVHoOdIaq3XG3jTWe8S4S/beZeRDSDD/iF4i5COj1M+7DwtgYw0lEVwxnsYu kdINFgoD/AeGUHnGCmVuZHN0cmVhbQplbmRvYmoKCjEyIDAgb2JqCjExNTMKZW5kb2JqCgox MyAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0RBQUFBQStPcGVuU3lt Ym9sCi9GbGFncyA0Ci9Gb250QkJveFstMTc5IC0zMTIgMTA4MiA5MTZdL0l0YWxpY0FuZ2xl IDAKL0FzY2VudCA3OTkKL0Rlc2NlbnQgLTIwMAovQ2FwSGVpZ2h0IDkxNgovU3RlbVYgODAK L0ZvbnRGaWxlMiAxMSAwIFIKPj4KZW5kb2JqCgoxNCAwIG9iago8PC9MZW5ndGggMjIyL0Zp bHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nF2QQWuEMBCF7/kVc9w9LFGhNxGKZcFDu6W2 PyAmow3USRjjwX/fMWtb6CGBl/e+5E102z115JN+5WB7TDB6coxLWNkiDDh5UmUFztt0qLzb 2USlhe23JeHc0RjqWuk38ZbEG5weXRjwrPSNHbKnCU4fbS+6X2P8whkpQaGaBhyOcs+ziS9m Rp2pS+fE9mm7CPIXeN8iQpV1ea9ig8MlGotsaEJVF0UD9fXaKCT3zzuIYbSfhiVZSrJ6aO/Z 43Sn9rF+2oBdmaVJnj1X2B/3hL/fE0Pcqby+AYr0baMKZW5kc3RyZWFtCmVuZG9iagoKMTUg MCBvYmoKPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvQmFzZUZvbnQvREFBQUFBK09w ZW5TeW1ib2wKL0ZpcnN0Q2hhciAwCi9MYXN0Q2hhciAxCi9XaWR0aHNbMzY1IDc5NCBdCi9G b250RGVzY3JpcHRvciAxMyAwIFIKL1RvVW5pY29kZSAxNCAwIFIKPj4KZW5kb2JqCgoxNiAw IG9iago8PC9MZW5ndGggMTcgMCBSL0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGgxIDM2MjA4 Pj4Kc3RyZWFtCnic1Lx5fFRF9jdcVXe/fW/37X1Npzud7oR0gEASQiCSi2wihH0LEknYw5oQ QECQoGwiKjqK4Aa4gooECBgQR1TGnQHHHUdhRlxnovxmkBmFdD+nbncC+pvf+z6f933+efr2 vXVu3bq1nDp1zvdUVfeihYunIwU1IgbpU+fV1A2M2BF83kUI26YuWRS6/8+LTgN9FiG+YEbd zHnjH8uzIiRqCHFNM+cum/HJo48WIaQeQ2hg06zpNdN6911nQWhMHeTRYxZEbE7cKsD9LrjP njVv0dKRGbFf4J7mz89dMLVmTfGmMoTGfgDP182rWVo3S36aRWjcJLgPza+ZN33EGyduh/sV CMXfq1vQsGgLyksidOsI+rxu4fS6R5Y96oN7KE9ugzgMB/0oNH96TxiW4wVRkk2KarZoVpvd 4XS5PV6fP5ARzAyFsyLZ0VhObqe8eH7nLl0LunUvLCruUdKztFfvsmv6lOt90f/lH+4I8sLp 455GXjaGPAglv4HzWxomapPf0uc0JN9D4pb0idAutAfXoj3oZfQqPg9v7UWHUTN6E7lRf/Qw WoHuQ+sRjyZCzO1oFBwcxN+Hvclm1BXtBFnaiU5A2vHoFnQEubAn+R1ahdYy78Nba5GKslBf NAItQHfiocnFaBI6w96GStBQNB/V4cbkhORdyXuTT6An0WHmzWQbMiEfmgrHieQP3CfJP6PO 8Mb9aBs6g++VDiIdSmmElI+ghehBporFyZnJX6AGYXQT1IFFFegEPkbikPt09A324BVMP8jl 8WRT8jikCqAqNAs9iI7gYjyIhLlJyYrkCeSCMpZCrtvQfnQIjhb0EjqNFe588onkeeRF+Wgw tKcZ/REfYxJtqxPllNHApU6oFJ4sQL9Hb6BTOIJfIQs4hevO6dzy5AfIgbqhsVDbp+HNr/G/ yC1wrGJeZwcmr0Vm4Ms9lNvoD+gv2Ie74uF4HOlEFpBHmYVIhBK7wTEN1QK/t0LuX+A4PkQU cpJ5nH2WvcRnJM4mzdAjMfQQegS9glVoaQg34FvxR/hL0o9MJg+RvzL3sbvZPwk10Oob0Tx0 J3oW/QvbcE88Et+AZ+EVeD2+B2/DJ/Ap/C3pS8aQOeRHZhZTz7zEXgvHaLaBvY1bx93Bf5uY kDieeC/xr2T35Do0EuRhNdT+fvQotOwwOok+heMM+ivmsAmb4QjhMB6Lb4bjFnwnfgzvwrtx M5RyCv8Vf4f/gX/ClwiCgyd+EiZZcETIQnITuY88TE7CcYr8nfzMuJksJs4UM2VMJbMAarWe 2QzHQeYvrI89ySaBz925Ldx2bhf3LPcqd55XhFtFJL57+fG2vLYvEiixIbElsT/RnPwLckIf +oALmagMal8Dx2zo7y0gcXvR+1gB3vlwHu6DhwJnJuPZuB4vBU6uwQ/iJ426P4+PApc+xj9C nVUSMOrchRSTa8lwOG4k00k92UzuJc3kI/ILIzAmxsI4mTxmEFPFTGcWMcuYLUwT8y7zOfNX 5iJzGY4kK7OZbBYbY+PsIHYyu5h9lP2G/YabxL3DfcXL/Dx+Hd/C/5fQQ+gjjBBGClXC3cIh 4QOxGqTzNXQQvXD1mMdnmdXMAOYguosUsl7yR/JHkOfJaBpTQUBSyS68gazEzSSbW8r3Jr3x MHSejQGvXyfbyUXSm6nAQ/BoNJt0S+XGO9hnIChjX0Ot7FFo2x8h56W8gm8hP/IK2o8RKYUy /8AUsHHmHXSaOYMFdif6jJWxG7eSp5kRIAUvsX24CSjMPIyeZ+rxSnSQDACNfUncBHI8DD8D emEM7o7/zSQRQ4aBFJUwX6Lb0BzyCWqFcbwBPYCnsTPRXagQr0DfoKdgVHTi5vN5vBO/RWrZ jcSOmxFhd0PrSnE2ZjgHWoOrmAf5H8mnaDE6ycroC+Y5qP1J8jxTwZ7nRuFZMAJWonWoPrka LeMmsH/CMxGDx6Eoexa02wqmOxuGcBVolUmg0w7B6D4CeqAvUwExHpCcoSAXY0FDPAjHVtAT LEhQLYzx8aDF/oia+TGkBc3kzBi0DkLsO4lRaGLyKbQtORPNT96LOoM+WJ9cATnuQl+hu9Eu vDZxM6pDQRg5X+Ch3EBykhuY7Ew2kk/JaLLl1/0L3I5iD/oejufRQNSHexFtZD9Go1F5clPy Q5DuXNCw29AUdD06B638AUq4jjmGChPDyL7kQKYO2nsGjUw+nczEMpqVnIuGo6PoSYFDNUJc 79tXL+9zTVnvXqU9S4qLCrt3K+japXN+PK9Tbk4smh3JCocygxkBv8/rcbucDrvNqlnMqmKS JVHgOZYhGOUPiAysDjXFqpvYWOS66zrT+0gNRNRcFVHdFIKogb9O0xSqNpKFfp1Sh5QzfpNS T6XUO1JiLVSGyjrnhwZEQk0n+kdCLXjiyAlA39k/UhlqajXoCoPebNAq0OEwvBAa4JnVP9SE q0MDmgYumbVxQHV/yG6fSe4X6Tdd7pyP9skmIE1ANbkjdfuwuw82COIe0GsfQaIKlWryRfoP aPJG+tMaNDHRATXTmkaMnDCgvz8cruyc34T7TY1MaUKRa5sscSMJ6mcU08T3axKMYkK1tDXo jtC+/GMbN7VoaEp1XJkWmVYzaUITU1NJy7DGodz+Te7l5zxXbiFzW78J669+6mc2DvDUhujt xo3rQ007Rk64+mmYXisrIQ94l0QHVm8cCEVvAiYOGR2C0sjayglNeC0UGaItoa1KtW96ZACN qZ4dapIi10ZmbZxdDV3j29iERi0L7/f59MPJs8g3ILRxzIRIuKncH6ms6R/Y50AbRy074NVD 3l8/6Zy/T7OmGLvPbEkTino1Mb3jmUEZySk1ZFQHZzGtUWQwCERTaGoIajIhAm3qSS/Te6KN U3tCMvhUYniraRr0SG2T1K96o9aLxtP3m7ioFglt/AmBBERa//7rmJp0DB/VfkKUpHLSIWrw vJ1uiseb8vKoiAj9oE+hjn2M++LO+UtaSCRSp4UgAPahEcDbmspeXYH94TDt4DtadDQFbpoa R05I3YfQFP9+pHeNVzaRavrkWPsT51j6pLH9Scfr1RGQ5GYD/DqbxFjH16K57ANm9WrCrv+H x9NTz4eMjgwZOXFCaMDG6jRvh4z51V3qec+OZ2mqyd5vAuMnaYr4GeMpCOWkjsT0ZoLSxEbh yxtCPa1FEEEqjRgcGtikVV+XulbK4fD/5kstyfP0LSO48lq6mk294r++7/2r+19VT9nIQIXB CA4ZM3HjRvlXz0DUUgUOTgcg8WjMhHCoXxMaCyMzCt+W5LGe9Kz0N+nAsn40AchfKip9+6uE /jRdCR8qnZ3zB4Ki27hxYCQ0cGP1xpqWZOOUSEiLbDxMXiWvbqwbUN0uOC3JI3f4mwZuqgRe zcK9OiOCDfDJIUCzArq2meBzvNBCtul2xLHnGCQL7DmMvCLPnSPMUTDqEkC8LsgT1y6WtZUN 0y6UVbSVoXKgtctw6VYQtoatUbhgMGmXQ8yxyzqHLqEQewyMKxqY/JY5Az6DFWWgj/RnZcKq UbVI7a9yxY7iwHgyRh7lGB2YSaZx06WpjurAscwPuA/tn3u/sn/l+NH9N+9XGWczk5muzMy4 r8xV5hviq8vcnCl0IdlqF1cvUqwOIQPUgY7BgfHyOHWm+hX/jesXfMGsYSdjNmkW5A+YBCuS nQHG5CnEKGq1RDXtlBVrVt1abW20stZFtuyXhZPCGSEpsJlCuTBcYARvsGiEJw5NraqvaG2r qi/TWrW2snOovLW8jJ7WUquttFsBqsL1Vag+XMxHsmKx4iJbj8LuLre10IodrsLuPYqLYpEs nuk5/fiqDxfP/uC26i1dD7SFnlu85MldNy/due7RTZce346ZjSP7EvMvA4nt3bdfef30u8dh zK0Fxr3O9gGe3ab37mrHGosjbBHbDwD1DHYRy0tWURIl1W6VVMSI2BTgBfBdZSl3s4jFrJAd 20mWNYoRCIzuLOxRdJ6O4xA6hc5CDw2zDTpO+7KqPl7Wdk6rurAQ2lVe3motLYUvhoaVIu2t 9eaVx2kDF+KqQmuhswe0zC3Q5gi807r2sT615Tfc2Ofaa3vf6AiysZ311/V6OmdQefXCtg9o n1+f/JYNQP1zUQnO0O+SVCnPq/ryOql5eaVqD2eJv1fe4LwqtSpvtlqbV12wUV3X6UHXQ77d qvMp7zO5h7wv5h73nsz9k/PzXLG/C2e6Mz3x/LyiUrY0fzB7Xf44sTI+Q6yNL1HWK28pP6s/ x60lRWbMal2zi9zdww7P5E4LOpFOga7mcvPd5u3mpJnbbt5r/tHMmM0Bxt1CntFdnvsdgYCA BuTI3UEyOtVoNSgazm4hN+hajo5iWiwUK4jtjXGxbqWUiZnBSFFB6bFSsqMUl7qjnqyu2S/z J3mSyZfzhO/Wk3Kz9UKrBjy9WNV6oaztq6+orJwrb207BwztCk/rIaS8BQa7r4hOlKeiU1zU o0eJcRQX5RhMzulDQJRcAJicDpc7EmN4wUychlRBIqZs2uHZe48OariueM7pmbhwwIZVyzKa PPNP3b7hmRGa5M46GnBPOb5gUvd5tbMei2XcNnbgs2uHrR7mMKu+7Kg8v/M1lfWe+juG6DXX d1l6/tLaa3riz3MDWm5F1+uqbxh+zU0gLXboxkbuffDID+hBh4Qt3q7eAq/urfM+pDys7lZF n5qrNnmPeVkv5U+uL7MoQ1QZxRKQsZPEHXaWAYHc7sCOpF1n3VEWUPq92JDIA916FhmSKQcy izZDWY97vEfxEXC/LwK49MSBg/F4GWgZraxVa22tAuEsKwM9U94K8tmtoN8y3aFZeUngRWC9 Jtn8yMpb/OAVxPNWr8Zx4OrCQmukuLC4qOSK1Dqdhc6Idf/27XbfbUuGTvL37D6q/8mTzIOb 6ucUDRxve0QeWD1l0+UZUJvs5D9IHrcNWt54GMlQ3UisSKLV7QtEoxcjrKgyZpBLk+IWmXeB +Fi0LJSFVVtUwUlBHCANqBbqhEZhs8AiISTsEJqEY8IpgReOkNnIg3vsm5EafhfOaa1UiZ67 UGYoljZQKyAjhYXaW90KMDAh6k7pFdoaa4mVtsDhAhEgmm9o2ZS5+WvWHDh40B7PDe7crvWZ /hiZugkLcxN3bmr7XUW+j85s9cUtZDaZB3o+H7qO1DGkAlcQgiOI+Lg6SOBl6+6keu5clfY1 6lrRCnJZj6vsxWFnX9IJtxw8SEfzBsiqDDQ4tRYr9arh0mZph9QkHZPOSOclAUmZUp3UKG1P R52VkpKcKQGfBJYwEs/cghHP8azMC1EOsdvZHWwTe4w9y/LH2PMsQWyIPQV3LDtMHDQixZiF ZdS+UE1raCN6UoYsrLcXFzoZUK8bmpub2b+dPHnJycYunaZ1HAIaJwgaxwlW5gt9WiYKOMlY poqrksaapjNzuAXSdJOoIQ1rJMf2KfeL46JP6Gbr5e0W6Gur8PUNjLRN8o4K1Njm+WoCS/ml zovkokdDLmxR3e4RrmpXnYtxBSybtR0a0TTWH5AFRPWIhO+3B1iTW1ephEg5eUVNKlZ9mVTM o7EiGuoZVHdk4kxXoZYt6Nl5RVcZmZKUkYlXtJ0bptWD6NfHK1oR1RrlrVRtlLXVlxk8sBkc oEpjIXZTnYGsGirsjqwOIUxFogcOxwzNwdx4JP+Hw98lfsSOP3+Izfjyt/L+tVM3tZ0mI5We 425fsRuPcz/ejDMxgxWcm/gi8bMW2ntkFr5/Xb9ZT1GZ4QEbvMDGkI3s0zWLA+exnWRyvfUG 611WxgrASZcyw0VaICOHjorz+p7M7CKWVyQ775e8No5FLG+STGbRpiE74xACot+UYc5GUSFP jJuLULHQS+xt7s8M4nWhQhxi6mcZZL3edoNllG2OME2caVvGLxcWiYf5I5ZDtp/4S1KuyZqL ctUcc64lx9bV0ROV2G4S14lbmQeUp/Eussv0lHIQHeKPmN9kP+I/lb5lv7V8Y7vA/yIFbAzH EV4QOEmWRZOiyJrVamlJDjnAIVuoJTlYnyFbzKHXrIIYEqw2W5wTHBwnmGVFiapmh6qaRavF EpdFB7yOOELAnDpAgQF6EmysaLEqZlW2yixjUxVFFAUBhhVvs1jMZiQ7Lmoqrlbr1EaVUVvw 07ocGi7jBfIqmcgtZKwuDbfiBdZVVmKldyaNw9VcHdfIMRwkPogv2i/OMOTCW3GhqsoD8AO+ Pm8b0F8D7NLgSF3pAcYkLSDUesN1fUWX+PqVx9d38fz3IB6PrzdrxwWzVkZPStNzSFPm6AnN akgJkaPgjmE4zclTzajAErK1JM/inulP5ZCmotETDiMxeWqfUICNiPDoIU2FAJZp7Nl9QigV a4PYoBELGR2yhGjeYkvy1H6hgOa4H/UkR1IldWTe8Z7beM+aPHtADrEhRB+A7AOwp5l9cMhW ivLhbEl+sM9eCg2qBH0BAaqvwlVhXGh39yixwxUuOMLkMHhI4sUju8vZwt2Htxdfc2hvovnF 3Z0+ZmNtD52zvk3mt2195wSZcek0WXHw8knQI+tAj2SCrtMMtPoc5hRLNlfMDeC48symTJKZ mRUoDFwboBiU72WngHSoa6ivSqxSJ1iqXDf6Zotz1VmW+a75vmOZnyqn3ae9f7X/3f1375cG ivWGuK6Wro4Crtyic0MtI7gZ3OmMn9hfNEVzmlmeAFoFJAdg1WzyZJ8yYc2km6pNjSbWtAhb C1EhEyXkGMab8Q7chM9jNhOX4+Ewkr3BQWlNArqzQmsDywIiQxUJ4LryK2AVHgNajYAGBcMY JE4NRbJyGIf7CljFnZ9uXrhvyt56PfGPl47OIUVj71ny3JOLlzzHHWn76e7hd7/dkPgx8dEj eMvLY+848c6p10+AxigHhL8PdG8B/lS/mc1yZPWSrpf6Z4/Lmp61QrpLWpP9lP3Z/FcZVXL7 PO6CIfkfuTk/GUuI1h3LnkniJGmSPMk0SZmkzhZnS7Pl2abZymy1OdacY8mJZedkd+qRPVGu NE2LTctdFFmU3Zj9O/lh5d7cB/LvL3hC3q08nvNE7oHYH2KujJbkF7otWDpRzIkqMusLxZys qUuGj+rpQKa33DvcO9m713vSy1u8md4F3jNeNtN7t5d4XyRjwW4gSKZpWMdEw6cwQVjDBFM9 7nAV0VAPmq1FGHeZlDE3g2QEnAIb6GLK9GFftle3e4q8gB33C9l5kPKFQOmpPJzn607fioFN qO5+rDsp797YnXTXMMbZKJRtyTqDcDkaDiLn7dZuBuorAEK2LhxmwEhqCS7EWxfSTmytB2MQ j0P3GR278FwKS6ahJCAiPadzMMI58mNWzabZNYbPUkN+JOUKfsx1hkvQAbdhc8SPsiKqInaS /Tg3R5L5OOtHmVqGH6N4nGqT1AXDeIrnxVevXo2gTGp4q+wlrpSQ5MRyuhDAqwa2AoAqxAx4 BTIEB4iUwwC05fstt9+8Ymlx9Hevbxvet2fePaNXvjTR2qQ01K6Y7XJ19a95+YFxta+vPPkp viYwZ+H0/tdEPNHug1cPG7QsNzN+3c0zPaMmjSqJBDLscnZh3xWTJm4f/xy1TSNA0lpB0nzo hD5IUnBmoJ+9n3u0fbS72l7tfog8xDyoPqE94VNE1SvPJrXMbG6xQtUwWAnpkHxQUVzKOuVL wpizJlsWWFZZGAum4jG4AOloBKpGdWgz2gFe0nkkIYvFhBBrA//RAyY+YMGWbHOWnyJEUzwT LAH05OCAM/ukgKlBJ0I3f1Har2qFy8L0JMJhUHLgtbcuvJDuSuhJa2lXrQo8r3N0UAJ/69tN etqBbOcp5ThTti/jx+dPJ/618Lvb9/w5c6931cQNzzyxZvZdeK37hZM4A8vPYbJ6707/nLmv vf/Rq7dC/daDY/81cMmF3tXtHMPbyS6tRfuS+cZ+nrlo51lqtruZ1KJlGt6qnfKc9SQ9bEh0 mB0uW4ADR9KlyqpZMWebdHAdkyYMX9MwDxVmX1GPoibPeQ+p8+zwNHmOeVgPQwqdrrSraftv rqY77WaWAZo3fKP6eCtIGFgxw+HEtpT4unirJIuyIDO8FrPyZj+2yDYqlCCJeauBQVQODTc0 7RRZI9aiFJOs6x9b/Hn1zhGa3Jw357qGp9nYA3sH1FV0X9nWQNbNn9f33nfbjsIgW5+oZcPA ExsKopP6k4rWWbtGG6Kx5aGmEMkMdVIiGd2d3TOuzagLbQ6Jvdy9/Ne7r/dXijcok9yT/LPF OUqtNs89x38s9L7jc8/nvveD5xzngmdDyZArwsa1uLOY7aUNZK/XJmpfmf6WkdBMVjMgRsMx d4E6R2Zv9ikZa7IuV8uNMisvwvZCUmiLIvQfFXomKHT8nzS6odKtpVcrdHvaP3e5nA5CR1+O lblq/mH9E73unbXh1OzFZ26eeHcX61NLlj779KKGfYla7qWNI0duSm59PHHpjqG92i4xT5w4 /s6H77z9MfCrP9jBHOCXirzoFb3KJsheZRB/nTiOrxRn8rWiWKT1svVyFXsGaENsQ1wDPJO4 SdIorcpW5RrlmcfNk6Zp82zzXNM8N2GnxHPqDcwYbox8gzKXmc5Nl+cqsjvACtaAyeTIFqjo 2LOjRQUCRoIGHhMjdDvjx34a76XgGWiAkDokyUTlULluPqoxQbTirQCaqy5WAWGMLcAJ1KkG rKBLo7nR0hRuisTiqkq7VgL8QSnlhOxXMaf/E7f/4TPsuvlvd5xJtB7ev37d/gNr1+8ndpxz 15LEX9pO/O1WHMTqu++8+94f3nkbRLsk+Q1TY8xmVejadDKTX0QW8xvUDeCQgrXAPj3MBi2S FAPQGDNVhew4ZNftI+zVdtaOY2iI7VAlrTidKLgIA4HWurWc9mRav/YoBtucUqG99wp1UwfP zn218pVbXzmBd3h2rejXcAvzj8velrdnf0F9ntHMP8lE8NFN4Kt+ok/aDsaN/Cj8aCdnhDN2 clI4aScvCy/byV5hr51sF7bbyd3C3XZyi3CLnVwSLznIXHGug0wUJzqIIioO4rCLglsBrcdY fjYzPxOzSrBSpqIyFVo2Qu9qXyCsEu6G3sH2no4ys6qUAdzV3b4i82Is9BTLCEZlDHM3wcTr qX86ZdKo7JZpbee0i+DSGxQqB6+GevYGfoUQp4wZ0t6ifi9aWF9fj+vTH1yFnRHqyJeAhhTC V9HY8Uoo74b8kiIG39dOscffe3Jd2YhOA903jL9CAacW4p1sL5Y3PNhBeg7HY1aQUJTBUYYI UZblowUEbycnCSEvc8gnYa84fqLhF6fcYhh5tKplRm0NoA2SFi4OW+Fke13uybxJT+bGXW0P 7aJ26gnwobJASkxo1mGkghjn2J1FLBOU5B3yKXACwJ0wiSIHnofAVzWCx0hMIRxC6Qk7SIuq lJCKQ+oIlboRbG+Qmqp64CFlnVZ1kbKS6tCy0qquxgwsjoN2tIbhjMD1iVfJL6++2sYDZnuK TPxlIDnQVgFcGMR8R4Zxbxny8pk+zJCX8+J5B8EidpCzwlk7OSWcspNjwjE7aRKa7OQx4TE7 uVe4105uFW61kzqhzk6mi9MdZLQ4Oi0vFsXEIMezdiohigqCYwaRweKzAo0owCBGBJVhbLaU KSA1Oaq7j6KoVGjUxYQwZQgEJweFwJbONmQGBnUZ1XVlhsCc0wwaRokxAdvaHv5aZDqkpb4e pIdOXxQ6HQIv5PToUVJ4FT3+lcz4Dfk9iplP2gn23yAmvUd2GuSaPPoKRcfWtYmRzPeg/4Io D53Xq00mAFemqGOoaYCDlzK8GfmmmCM/Umrq4bjeNNAxTphgmmX6Rf7Jae4Syc/pE+mTMzRn c/6OfKFHuEen8vyBpoHhAZ3GhMd0qhWmhqd2qs5vzD+d8234h8iPOVa3i3e2kH3NuQG7YKAR LYQKDCzSiI6BIaUzDSv1vlwgYJEHZAUU2eUsjBbKUY/nlBtrbt1d7W50s+5FFhxFWZnZL1tO Ws5YkhY201JuGQ4IxxvPXxSm09nxYcZ0NmBMY0a77dxFylk6R1l1joZUjsDUVtW7KZgzZhpz QBOR1Ly2u7hdM12tP2fsNXXvt2jlBo8ZL2n67Pz89+48uvyp6Z/t+P33255auWLXnuVLd03w jYx2nzaxpOkOXPb5Vow3bW28PPvfJ5c+y+S9d+zld197/TUQ/Jdh2Kw25pjuOwjgWyQchd49 rykywsKiVNi5IBXmdkqFkWgqzAimQo/PCPWuqlYU4jZzezmGCQEeuRtAXRNiuxoo7wygO84W gsjNUNxj7EeGSq4Co7G/EUBdVSWdf6qKpz90IqpbAR1dL7/KHfllINT1MYCF3xqj+wbdyXNB 6v0jhg2C4pOloAmJhkULaLYiYQxzfUgOqUT2qayUGuJVSu8b2nUjXU25WFVx4VzcWE6hJ8BD OrppkWFnOH0+xmZffpSJX/6QWcMd2ZMofy6h7qF6pgBqcgRqIqDhusqRIMsA6+iiutRCGg6E WMy2YPwCH8KkK4MZoA/ilJqBp+KhbanhRmsCwlD1tWYgs/L2JZ1iWjaxJzLYjQk/p+7Z88s/ aZmg4Ni1UKaEhuh5RuvvFnAHA6D4h0MkZCLEZ+posdx70m9afC5VjjHF9ZvW7mI+v/wVaWob QVvaa0/bDOik0clvWC93DPRWBNp8Ri8pduFOrsGuwbGvle8KOKkAr0Qr8Qp2kVhvWqgsVpe7 70Ab8SZ2nbjatEZZp97pftf6ut2WRaceAiEfDUKhrjToHIpBoAc7hRQU9CDFH+yyowvuYgsH eS43aFODDS9LGLg5U9fiDRY9BGjEgpFFsxBLC77nUHdPQxPlLJm5P7vBSbvdHI4UhZy6kzg3 d3vjjjRKuVDVSpGcQaSdgKqurenFlm4FHXMg1NVC9ZguJVE8B3hFoKAOvHQEMVePO8bhuspp n1039+uXj30/Z976OxMXP/00cfGeKevmzFp7+4yZG3oN3jx69a49t656mvF32jp7x+kzO2Y8 0Cn/+IajSRD2Y3e/gsfMWnPb5Knr11xOVmwe/lTjrc/sgj4bl/yadQHH4+h9PZdTXeoAdZ3K DrCOty7xM6Ncc7XZjmmuxeoyxzp1o+N2/5OqzIUYykkT3TXJChjcTFBmTxzQIbMXMd3opuLi ZkVxsp4j5AnkJbP0bGcwwLHBTqqtYXJoAUhNo9AQ04F/BTFMl2BIbHNnTwvuud/7Pj6CeyIE 7DVR9sIwJmhzfgu+d18Hh1sNT6ODwallF6rpzl1xlDHlMJ1D7fBmgXtCyRVGUjORwtEdjI+N a868f86qvY+tLBzqsJkaWtbNrt3kaA5///zSt+fMmHbr5sS3H72SxLd5tq1vunXFTsejZOnK qbeuWRM6+MbM/dMmP9wl+NJdxxI/fQ01fhRGThuMHBV50Hi9eLp1joMM0YY4btBucLAmJUjn Dt2e1CiyxURfyIfh6/Oo6WHkpcOIjlg6iOqrLtKZ4naVYYAAaBuMo+6GG07CYSvQtGE5sUj4 UdLp3oq591b+kHgrsQHffPTRqqHd1iRu546YbdMPzXsx0db2HIM3rZp0m1OFop5JfIFvQyeQ jIYdlAE0PctTax7DTBkhWMZlSCYg9WWI7yn0Go4mowVoFWhYDu0w7dwKVbxQZSxtaCnDfcVk wzCn5jhljQ+dGDG+e2kP5sSJ+jtiFd6aG6DcSTDO/waItgAl9IenMlPZBmYRy0ZzipnSQD9m sDA0Y0Bm/+yBOaOZSmFSxvjc2+3mXDWWTbKZnGgPS1Gkf3RA14mhcZGx0bmm2eoc8wzHdM8y 03J1uWWltji7IbqO2Wi6Xd1ouVNbm31b9F51i2WLMxjNNqsmLhzICPpBd4IK5XE0OwviQLn5 O98NPdDqQp01HMIjcDWuA2eNBzzcpEc7B4Muhgt2lvwx3/VSDHXCnXzdwzEbjtnG0A7zdpua 1vQV5wA5GooPBNWQTyqYcF6ggml1pxYG0+uCdELAXhIkhjtAey87x1AIv51vYd2GoIJFzo5N ekGd/ObKBc+MHjGpd2LuyNqZt/zjvsd/XscdsezZ3bSztCf+dELj8nWXHnkj8c9t+GNt/p3j r23oP2BmxF0TL3l8+oJXptW+u9p8x12rbxheWDgnt/fBJYtPNiz6DtpQBjIrgB4Iom/0Hr25 3vyL3Mv8i8Ib4lsBYbBSqYwxz1GmmZfblttvtx21feX7yn/ep7xsesFO/FpAy9CCGv/75Hkk JM8iEUIpeV73BWVN5Pm3Az5HIOATAz4GE9EXYNSgRhXGcCu2tmDPQTXo4FCwhbyoWzBR5Ab3 +2B9qHbAL5LVKIQ03FNXrAfLyWSygKwiLDlCslEmvjutEqhCoKuIrSnL2mooAndKE6w3d4mb V2rHUzKJDM1LL9ShXhh1hmMldDn21zqBclqALytcLiHu6OMP/rhr2823PowP2//93vsXr3v6 1ccmBffs6Vs29dgtx7+aMed3D2+0n/z0+z0Tnjn6xIaabjD6x4JsW4GTdGb5YDMf8mqBluT5 /WArfw/MccFpg9MCKnQKy68nG0wbLG+ZOUkwecgA+1Dn9d5+/jH2Sc5J3lH+OcIc01T7XOcc b7V/GbmJX2JablnPbxW2aG95TpOP+I9Mn1l8viDLOYKq6m6QDJ0qYSRpEpE2Z1obUIelSqnS YIelSmnRdmeaokHUs50/ds2YnnLZnBqdZsiJ2TWqOq0a1aL82Dnv71iyf9G1s9/f+cGyew7v XrFi9+5bVlxfRd7HLL7muckHEsnTiUTitT1bX8CPJB748TyehWf/ULuOom0fSJkGmlEG3XhB 72GboMxSHlR2K28p3FBmqHofy9hARpDCMwInmxgBgQ+hvs2wDoZhGRURRWUF5kXyIhIRwTt0 GbEsJEFvy2wLmfECx8l6RmaR3IJLdFXQsyJFQmO4WNhsIZQNquooQkQjIcKQg+YWvMkQoL9X AT/i8QsgQl8bHki5dqHsYln7Bon1XeIsCJDFYmlfmlCTX+y3laotyQ90U2Epk9W5lGEzMsri xgoFouhSdyi6qVRpHFGq6LFSJSsAYedSA2RWUriFC40VXsaKyZa2NeSR373+enOiGE9+kjl0 +fonEztBxO9vmwNj8rbkt8xZY2f+S4eRj647Ot1FJGR3FVno1F4nm6MobsfZot2lYLvLxCPZ GmBMqNAV9biNKT03PubG7mE+w9ukU3q+8z5S59vha/IlfaxPiUodG0eo1ISkU9JZiZWGedsX aOOt7bN5ZW3GphjwREtTo6nfMt3HambVohJeEHlwchleYxU/UkWrH9EZvby81TDQoNXpbTM5 MWPSw31lAoQpX/HhjY8P10zNJuv8kSPv6t38cPN184YXN5B72w7c2W3QyNF3byCll05TXoBS KDH8hk2HEQcuQEnPlCtQVJwKC7qlwqyUq6BHgVcWLpPbzp3h2OFwOc8xmcbqW5JjwVUAy5aa zaQ5GePEV1hctB3hY+A2kKumNtmO1ep4PLVebQyYhUaHUn/htua0v0DnY6m/4ED7DsNAB5GD OkTZYmYAc0RlDdSU7fYWuUWrYnUwHMDLACc4TDL0g9FdEj4GGHSYi1bGTbvLdd5F6lw7XE2u pIt1Ecf/uNPH2dFhxrxBffxCanSXpVaFOuZfzbxZiJp5xY9V0ZKed6Vz/6lphRQkMqZcQR/S KdfmW44teX5I8+I5I+4s4460/ePeqicebptMdq6/efRdK9tehDrUwIh2cU/DeK7TzcdVzMKX iKwEo5Wq9AKCWUlRGxiGUOU03FDiDPFZxAbpb2g4nownE6YcggV4FagPrzmN9YwJ0bKKC9SY QqMqtDQEom0xxA/XG7sXeMTwQqSHzVZSwxzclGgd0sNymLn1n7ezv+zZdH/ClrjU8tke/D1+ 42Hq0ZwBFXQJNLOMGvQQo6vWojnsKnI32Sayz7FYQjxHGInDCsFvy6l5bqpPkQHKfAqnq5aU aFGFWsDhEKdzhPOajuAyvBaldlfUx9PdYOycK6d2KL2gHw9HrGBWiulcBbnU3Pf9MQ/8tesi 9uY+KzKfH/T2ZKhasg0hrtLw8sw4qE/tqhVoM8VZUrW2gdmsvcW9zh/TzmsmkavE48gIbZap Sfun8k/1n2aJVViVNTMmWeJYFmC5yAuCArTIKwIVE0FxQAQBH5lVHJBCCnKcGOQZvoXU6RIS le90AKPkCDaBq2DSbUoITReYUSPYk+wZltmcci910wjlmHBGYTYrWKH3mkU4KZBVQqNAhN9Z PvrYAIT1Xjjh6wEg5PNqra3IU17may0/V0aBYut6rksc9Cldpk7bZTrJtl47ftx8/Ph6LhUC w4Y0mdIry82shRGFI4ApUPLfxuoxXlhfFcF01TfM2MNMLIcXGFL4Hpnw+bNtD+38FP/XtoFZ gUI6JvHRRH8yEW85fNOdd0AfboDx+W/qz+N3dZ/Aj+MnSoxF/Sd3kWfGMjfJxMaH7OEiEXTr AVtq10MzhDbOiAintkGsgRieZTmWL5EGsVyU7yxPkG9iFsunmS954SkeR/iYEBVL+Z5SuTpc rWQr+QlCpbSSXcZtk17n/8R+xJ/jvxP+xf8sOm2yzIFhIyAWkiTCjSSKUYGHvuIZQMOc7ACL JktwI4KrYPxYTTSZEBg7bNnPZYkQ6JGQsSbl26xi1RRFJIrx5o4FR0X9S3jQjPSEEB1EFJzW t6PT9AaD8jLApbRfqKGD0GNAJkETy8QyxrimTJ8uS/kZpZIIxo5vASOYUQrBB/tDRrAvnDZw VXR9vh7F44ax5JPH9odLQfMd2++iwRf7tVI+FRh3ihHsM6VejldSa0GLsn3OYtHhgtIcjjLj Am9d3O+hL/99nz+VHFdVGisjVHWBOOAIFqwbmvEz3yVm45e/SOxcxR25fBQ3JZa0TSOZyxPU 76DYLMw9BSj3ez1jiG9ZxsaMLfan7a8pHymf+UXJ7jHn+RipgCsw0V0LDChszS47bXb722aL w2x3mC0qQFfdbpaDTt28w0zMZovuxE5nwAba7gULi9+nfjDAWj3CBgOqdbK2QFul3a2xGvi8 HgOfeTDyaB7i2RyyHcXFyILvB4+5537zwf/k+2b+2ve94v1Sl8uYzqNTK1Y4oXPPrRe7xDno PJRSkQaeu2pJN4Vy7WFnmEmtkgjULo99yblt7q3NezaN35S7+y7yadsLw9fccwyLi+688GYb btQ23nH8sQf3Dy93kf96LrFkUuLie2/cs/8sSiNdr+Ez5KHf60W9fENdeuQG1/jIDGaua55v ZmS5b2Vwk++O4IOu3b6jvu9dX4cuhuzXuB517XExvTpN40kOZXME2OwJh/hQbnC4eTLlaSAL fAL8/ghjBmtWM+Vk5hFcCgO3p279DRfzwUfr2YwORhusHWDXqluJdXP8jd9OGrRezbTWNIcM RyzFoz6kuCiHT02FIjCGNqsBgGO46Mo6bd0e14qa0StH9MA9Xpx36DIWXr+79ebl//XYc6fJ O08uWrp/94qVO/Fobfn8oas+qVM84+Zg8ZMzWHsw8WXiH4lvEgeef5kpeujQ8Yc37d1LbdJW hHgL3YeCF+urELGIDuIX2SXKOuVNhZGUwcpgC9OJjar55gnMDewSdal5vSqaCCeWqj3Mw8kQ pr+gixXqtWZ5K9nGbBG2iLuYpwXeRixmcwFHQIMQETB0AScCKSqjLKPozgci0p+9mlTVbNaQ KJFqW6ON2I6QXSCK3fZzIVAt3XRZkeSQrqwyYdMRMg5skgmekBYwEJIFo5ClTsPgyI17IcRV p/Y0kV0HrHQFw0snBqrKPABFDBsAtK/j5lwVWITyso59TfTwgZ2gGujKBibw1q6YgJeQkrwE buVHYCM/MizAkCYFnuUay+5q8t/7zDKNTePzDw6FS835YQOjHyopNXcvMciDnSG2c7umWVhv aCo6j4Jd7h4lOAy4B1SIdSvOxjcUuLwAyDH3YmLc3sQE7silf9xz3YiHmMu/DGTfuVTMnr0U on23IjGSVHPvg6d3jS7nAE80myBqWgsuPIC2m4GHhbpV2G6+ETEaE2IY5jnrI5sMiWy7CAJp wDNjNgfHiJUudxWC4ynwTg3jM/f/sWLi0dXLcq6JAERLjDyK/43NP5xuu3SqcuOWF19KZCYo JrGAPfsv8A80fNMLFhu2ZHkN5aof8pZOtGxht4jbzA9ajnHH+GPCOxbJortKfYxdcqo+rRj3 Mq3Gd5nErrbxbKVQaZpgfgBvlbeaXiAtypumt83vaqeZD6X31M+0r2SbjQd/TJQkzPMAKhjG ZLEA8FexxaJqJvAbiGpiFE3mLcQia6+j1yWiRZHkQEhiiPo6GKaowjgUhZElCXAgr6kq+Gzy cBu2DVZvUbJkSw0v3aKD2+Z/QedH8I0GMOmnm0PMLSRrODR0sHXF8bSzT7fHtfkAXXwFLv/X Vb/aJkdFqCotQ1VpNVhqsawXjc1vqSsEdEdch1VrNnsySk2Ua6YM8NXc4NG5jXuwW5qxedlZ irPCpZIeKG1fKqg09ilQAwRWp9BNxaeE2h8mB1vwmsS2vzzeJZAfPfBx4h58x+eneyW+I7k4 8fOggmsLLyWUtj/i6ysTVfQ3GVsAO3+X/sVEHlqtj2DZgZFxkRmRBmmNxNf6FnN1UoPpNu42 E5/jkhhPTl7QlSFJdlswL69TJxTIoFOImcGgFYmeGD8mGlN8+RnB9CRi/OpJxItpi/+rpQe6 P4XOmaamTNNzilfmRM0kgsPdU9MjsQg4rt1LqH6k9BYS2/VOw4yZa+8e3/jKpsTv8DWre14/ ZOCtjyY+w/NujPWb2GvM/ZsSe7gjlYen3/hUYc7Rxpn7qrsxo6yuGRWDF3S6tENQes4ZOGpZ NzqKAJpzmcY6w/f7bCbK8mK7s0ikaFUQAQuJRGAYUWIJkQSRZUI8z1WFTDhkGmGqNtWZGk2c SZRCKc9IgTfTKxGpxZ60P3ShYyHV2JgPiJPtklIzmOKNZlEfaKCUQwNLRb17iuxeKsCAIiAK MJ6ErO4pksZGDFI3RUoFswNOO72/cMgOZEaKzADSScl/73O2iw1OBciQIMAsmC7iYuvDbzDk yBuXE6BkVrOrQME0XmpM+ZJ8jO2DIuj1w0hKfqL3NangS55jz0l/cX8V4j7kLoaIWwxFJI8/ BMMqEgzwzoDJRPehREDPyqeieHN0R5RE3W6fObrZmGyrOuiJbqYbLnCV7kWkMBLFpxCmO6EI 3XAxHGTSmx1twUsPhAe1ryMuBFfmHCh00OJtwwZM7/91/UJE9+mDDjcApTW1L7XdwVQc9phD sfqxTXW2O5iG+9P+4xIYLXSW7aqNPVf5mzu7PzV7yQOZt7z96DMHIpP61N3XPGHa0NW92Nj9 wyZPmXBk76G2HPLI3Mm97n+i7QGyf+nSEQ/e0/bpbzSxkktyNSLJGkY2iepieTuDqS62oO3M jRZzJiCM52z/WRPbI8hKd77Fcgrp7iONtK2GBmRdk7N89dGJFScTI/FZ/Jejh7dsnPinS22n fwCLLgIOqgAc5AQcREfxfj1njheDUXb29/YPTbSNCc1hpgnTxNm2aaFF4uLAWnFd4CPxA5dV aEmebc4JRUJhOi9gzQ3q6giVqKrDj9+fnAI+usQF/RxgIbovo6fupCBHM9APtE3TNKJtzpcp aAziUl0ud092L3CvcrPuFpJ9oB38tLYjxvRySVXqZyrt4MdYJhGMHeV00pN2kC29e8Zq7KVx 4asXoJhLBzz5g+eM6zt2Cul7dGZz202n1vwlce6R27/d83lbyfC7hi184rGblz/DjjbPLqgo 6PPDn6dWJ/71p42tt+AheAXe/cquVy9/XvVMZcujW1PoZyJzAOfA2OdQDJrHMZj7gSBmdQhv xgTP5tMbBWjV0ytodob+MmBDlxMF8Kbtp58SP9D5d4SEJZCLB2/S+3dCMWsnW8xTinpYS209 PIPRIOtg2yDPBDTeOsE23qNtFbda6F9/0E3josjJJkWRVLPFApJrs9E/APE4W5JlBzjkCdFQ sVlpqE90gpah+8NDqf3hHk4Ug06Pw+n02BRJCjptQNqsisUS0qwOTbPaJEX0ODmLVVMQ4ZwK x3g0iwUcPZGA2vbYbFbQ2z4YnVpfCY9EIaTA1Qmnjjg88lCI7pXwelvwHft2peZDfN4KsHxt bWACPcZI/I97xNO/o2j3rP/fN4lTs1h2vJ26+gIwywIwywowa79N9oAHlsJeUYjMM7AXolse 00jNDDEHFJ3TU/u4FxqbtA1oVWi3GZu1AV5RZx3jRxM3v3Em29dTxu7v/zQ8Euj89WuJ+S8m 3skR3I7EW+C2lT9w/9+ymS/afIm///OOZuZ5UItVm0LTB116nErNvOQ33GEY7VH0iT7A7/A7 SXUOvlG0YxuTnY3CNjeJIjCNmHcHzUw4yEsYyo1mAwQLkVBONWHIwsYcnJMRC8lY9sY6Fm9a K7Sqi6mdTHSQtO/iLDNuU6uL7XquPxvxB3wBb4DhlZgWdcYyY2KUjUWiHjUjjFwWexgSO+wh Ae6yuGgYB0zuMHZY4RKUwmGUzcAFpc2CsRe3/ZNnqEtcHLXybCQrm27KyC7szrrcQhdCtSQA RIeNpZs2rMxQMu/uxKkdnyS2Nx/AIz7bjvG9sb3hKYcWrH31pnDP9Zjcc8v5PqT8Odx2dmHD YXzjJx/hhuaZLfcV1DVWjFwzfMP244l/N9aUYCvlKkUjecZYLNQVTFgmyCHR2FpAntbNAmHS wIK/Aiw0A4ABqEhtnAg7t7xK/sQd+eWfeyDhDOilJdBLGahFr55KZmeQEOquTkV1aFFGI1qT sRk9yD3LPKkeZprVN9RT6FzGPzOsZluGNSODyeNzrXmBUOYgdZxjvHOcdxY3J+Nm2x22BxmA tIFd+Amyy/qh2Y4cyKc5NB9L7fH+3FJj+3ZObqlmQZj124MK4w+ykhazXI9idDj5Mt2xkIhF b3DqpPY+/9VqndWAQvF4FV0QwfQXOFf3QXpNjkAHUJXINr96TeK1r1oTHz+0F/d79c84v/fL ha/+bveXk+Z9ve7xvxLS7cdLr+D5f/oKj9139p3OO+59LPHjPS8mvttI96lOBe58zn2AzMiP VunVPgt2aA6H3+33s6zGOkxuk5/d7T5kft3MuN0ePwll6Nbh9uFu3TeBmyCN18ZaJ9snuid7 xvnG++9wbyOaN8gwtqBJcsZCAhZ8jRk4wxIzVicDVze2irb26mUfaKpdQ+HuLOh9YrS2JPWD oyICjUVT8Qbc4x088NnmxKGXTyaO7HoTZ3z8GfYv++6ePyY+Jm/jefiRVxNP/vlMYsfBN/HE 3yf+lTiJi7D/ADb9LvEVnSVwgnWsBDnwo0xwKtfnZvTMIBIrZZDxlhfsLwTesL8R+HcGj4kT SSzjQBLHW5EkChqSTILmlxVB86gWQXObbbzVbbYzDrfZRZxus5c4PaqPOP1ygHH45QzG4VGD vNWjZvJWvyz7/WkfRPV4om6zw+02O0nUwTBIE2BsteBDek8zeDGyLCG/x+N2I9npcFi1PmYw hAzpgzz3qe771KhZt5YON28H0LA4LN/nl+6DfEHMDlpLUxtsdh4I7Z6Vnmc4p53rCC8YLq5x /bWebjN+/0e1yq8nQy2/+dD+qap32yPFhfZwcdheyNCz0Blh6AROxE4nP+3hmeN3v3F94kfc dfyW8bj3+AfG73lnCHYl3h2/ZVzi9fGLca8hiT948TP34zn34z2J0fS8P3H//Ylx+JnEOFKO 50APgR7H68CPpLsme+ohlkO8IBG+jGXKMM/KpKwr3Y1Lm7tTTK/7p3Yop/Z0lqYsMzXMcB4+ ceIEU3nixOWnT5yAvK9L1DJnAcdqKIB+r281kTjJ8/QmQ8gyhS93lnuHeDcHdwS5InuRvzzY 397fP9o+2j/VPtVfHWwMfsB/aPua/0753qN1IllKHCB1sTKYDFQmklryqfKZ50vXd96v/ZeJ BbOqwxcwCWbeEWBNyOw2FyL6+28L1iy6pdrSaGEti6z/4fffGcFf7ZlLbZijv9P87f5rVI+t 6c37PdK75H714+/8vAfGvpT4ccH7t/yh/rG28HNLG57au2Tx44laIvYehrtgYUfitqfu+qUf s+fEidfe+OCjN6jO9dEVI+C8jG98oZjDKMtaKlPXQrWWSi5boEikF1Bu3x+AEKdDSPGJLgXD RSgXLnD3rS5lRYuQCy5wd1o/mNulCIXgYlE6oVwpJpeiYvk6NEgeh8eRSnGCNAPPILVirbQU 3YRvIsvEpdJN8nq8nqxjbhc2iBulR9BW6R75OfSY/BJ6Qdgnv4X+IJ9GH8p/R1/Kl9AFOV9G nOxBLjkXxeQSeTjSZYnTba4iTgcvRQZYFZVkhyTJiOn4PR0ny0hOgR9ekCUGYa6rgpUsUdd1 qVEiANX9B3WukSMcULoUIjrOMn3/J2MbteH1V4Hbf64qLXAdY8pa+t9mjsCo1nfs6zN8rg4s AiAEP5+Y+/tz0UxP/O+HE/PZWNuamQvGLCEbUr8vnQhWUAFtFURZaI3edZPvDj9Z4VvhJ1N8 0/1kjlJjJhOVMWbSw9zfTPxeUWCRlgNITu3kwEFQB3v1SDgrXJYpZ5ZlZYXKwuEgujE4X77R PTtbuzEEXtjsCN1xTFEttOsC3RzdChJnbKC5WGbgjXMpKwSaGYBAFY4ZW6EN17tjlwJLnXQz OMYw4PAnOOjqlv1izyduanjQc9j7r3c+BmB924QePtJyAtdm22ZX9Oodf3JKr9rtm7e5Tpz+ /qnqxxYNu756buKBE/RXXeHESOYHkEEfXn/AEsAWKn9PBEpzHeMse2VGV3ULsYRyC4o0ehEU yeZSPbYcU46So/ZQeqjF5m1WU64t136dq9JWaa901tpq7bXOZfwSdZl1uWO5c6260brJtsl+ u2OrvMt0VHvResTxvfyN4ye1TfvZkQwEbYC9AS7bQFq8Drs9apMdcGNRLFYlapIdJpMMwFxR TDwT8FpQQAuQroGXAyTQQsoPWuy6TXe0kDG6qdym28hk28s2YmvB1x6y4Cw0wC/TRzZLyKTr IaVAGa4wI5SkQhRIcaCrBRpLypv9oRUzPHHwmdvowhUIGZ2m9GgXznnpgl6rz6O1GhTy0B9v t080iVevltCZpvXGtNJxAMIAhj0Ahl9ESvJbZEp+i6/6ZaMj+cWhklI5q6TUDAP3oLPUmpWa Iaika4cI5Ba80JzUptwSAzunxZZuSolkrXL0zi+7zm2NcabEvFc/j2dlxr9sTsztm12wYlxR YuZuLTfbP8eSwea2bVu8esUSMufSm3uvrTR2Oj+KEDcR8J0FENkaPRbKxP3E1BSSVQtakAjQ SMKSLzNDSwO94FVAz3DC0tNHBgDuwfhTq/6syPJej89DeJOsyKrM8E6Xw2V3MbyfAbRrM8PF IwbC2CVbw8jAu3nwWY1TW9jAzabAw0wi0XD39GYcYx8b/vnZibdULmoYtvyeE2sT+3DpPU92 G1DxwNxhexLvckecGUOnJE4efzqR2F3TfU+PbgO+e+rrf+UFaTt3Qjv3UG8QZeGhusVmMmNb j8DEzBnivEzW1pL86wGbr8hG1/Sycoqs9D4jp0hLh5Z0CM8/OZARSz2H9Fo6pM/1BiCi5usD 14dGmyYF5gUWSkvNyyxr5Q2WB9TdlhbLt+ZvLJpZUUJWi8NqtVgtMGj8JOxzybzNqqkK55Ek l9vnDQLoCGcZ+wA9HovFLAZj5of5qlB2XXZjNpOd5Ul3RKT3rivbagHBec95rizfGdN5EF1W 2tXY9pTa9URXgVL/LdChAo0lPFG3lFq0XlZbL2O5rT79a9svdJ8XJNFbaoPTrAdKtSwHnJlw dsxfVV41PQjdZo8wXQj0VMTYfWhYwfBOsvH4u8vffr8id+zQ5IVXx84f3zk85C9459otwx54 PFHAHRn+5rKHP8qIZg9bnKjH3dZs6mkS2hYzhSXLBs1ah4z/ICLv/f2F4MHnJ1vKfhL9ovGP Zo99mZPX/u9mybbESPD16X+CSun/8zTeE/okhqF+V/4E7Td/ddmXhyi2AQ0kz6C1EF5PSpEd zmy474vfQBsgbgj3BuIhXMciVA7nCKDXp8/+cF9C/8sO0o9mn0MLIe0TQA+CZ9dC/MvcOPQY +yUqgHMXxI2GcxzEPQrPnoFwEtyXwTkWTh+ct0GZt6XzroHzDDcu2QZlbEinGcs/g7ZC/isg zgLvb4HyHoa49UZcA6rA69FE4U7k5UvRPLinz2cAPRVoJ5R5GMLr4F1a1kQIw/D8UToy4NMD ncIFxEruIhcYN1PLmrk7+RxhkvCjuEyySo9IX0pfykvlJvmS6R5lsLJdOacG1Qlmq/lFi2YZ qjm1I9brrGds020v2LvZ19s/dqx3bnB1db3n3uv+0XPSO8r7uW+R74B/hL8hMCfDldEn40Tw 2kx7Zt/MU6FtYVsWn7U8MiHdQ9einoA56YcAPuwK92B75TaIIxA3kBmGUPp5wrgyxnuycccY b5mxmKYZdCN2pWkW8NSiNM0hD74lTfOQfkuaFtBx/ESaFlGMzErTEtpI7krTMvsq40nTJjRF OJ2mFTRDLEvTKt8sPpamzWiSZVyH7K2y7E/TAH60bmmaIEHrkaYZ1FW7Jk2zkGZumuaQotWn aR7Sr0zTApqirUnTIrJrX6dpCQ3Qfk7TMqmx9knTJtTNvr3jX28L7afStMpMdDBp2oy6uKug JpilXFfcdxg0R3vE/YBB80b80wYtGPEHDFo06NcMWqJ95H4/TUMfed5L09BHns/SNPSR57s0 DX3kHZSmoY+8I9M09JG3Nk1DH3lvStPQR77eaRr6yFeTpqGPfH9L09BHmXvSNPRRyJKmoY9C i9M09FFOJ4OWabty1hq0ibYl5x6DVoz4nQZtNuhUnhptS85hg7YDbct5w6AdRppPDdpp5POV QbuM+J8M2kvfzcUG7adpclN1y6BpcjMNOtOg4wadbaQvMeg8gx5g0J3pyMgdTWnRqH+aNsrK nUxpJRU/x6CNtuTehMagZagOTUczUA2aCmEI7YZzDJpl0BVoAZoP56J0qhBo0gVoIdD0WgPx tUaKEMTMhfe7ANXfiK/5/5lT146ahdBoeDIXLe5I0wBxgyFMldcNlcJRgDqnqe5GbF94Yy6E o+CdmVCHRcZboyC/BjgXoiVwnQapFsLzGkhJn8yEMubC3cL/VtteV6UM/SZtLzTOyLGhowW0 Bj3hGkK5kFMt1HMhPGmAcwbk2OmqvP6nN6+kqAA+XLl73uAo5dc0eHOeUf4ciKM5/3/ndQhi aYtqoSaLjBpR3oTgnqZZlM51LPRDCI0w3g+hmFFeBVyHQ9kzDJ7XQHr63nTIlXL5JuNNmluX /1CnVP8ugHJpneog7bL/MdV0Q65oupuMWs3sKLc2LbWdjX5ZgKakaz3MeDLLkJwaqE1+R90X Gk9qDQkdDdfFRq1T/ZCSJtoD/YyaLDK43M63hVCXEKSqSctgSpJqDd5PMySLytp8o6yr5WVq Oq8ao270zXlGjrTes6D8eUaOKe6HjFrXGOVNTfdG6gmtdUO6P2qMNqbeW9bR/7VpKa9L9+B0 gzcNhuSlWtfeQzXp+i82SgsZJVxdq/aep7yh9zcZec+6Shpo2gVGXqmy2+NT3F6U5sjUtKQ2 /Ld0iyDP6QZXaiFM5T01HbPY4DSVqCsyvcAYsQsNjs413qc1pf05L/1WewlTjfeXpEutTbc0 NfZoDle4MMMYw3PTsVf4Wpvm7oJ0S2qN9IuNuyu92mBI6Vyjdv9ZJtp1akNHW+izeUZ+V/Kg umFOurY1af5PNbRdKD1K23k2zSh7phGbep+OsNp0H84yxl1dWkYWwJWO6CVpbqdyuKLla4y+ SklHyODh1HT7a41em2ukqTPGXkoa5xtvplpytXTXdkgWHflL0z0zz6gNlc0l6bGV0jtzO+ox z7i7Ir2LfmOJGn7TvqnpMqYYOSw2OD3tV7I5HdVDfDtnFxv//97ewhmGbIcMGVhq8LbBkLtF Hfok1eu07qnxviitNVKjqSEtZVe0Z+rpPKNHatBy4/1UrWm+U42nVyQtVfo0g1t1xihZ1tGK 9rLnGzqTPq8xOLEwXQYdQykuLjLeb69xe+51hgzNM/Rme926GDZvETzrBba0K+RLjy5Gqqs1 bBdDO82DFLOMsTQXqHlAzTd6aLpx14AmGzKQ6vEuHSn/z5ZwkyExqbTTryplGGj6MWDvB8LZ DySP0sMhllqAgXAdasQPgJjRcKWyOQgswQA4KozYMUg1flUiG7qkNj0+fot62uNT4yTF0bo0 z6/I6P+eFbvSM+0aub2fpxhP/1d71xfcxnHedw8MCUqhSbEOpUYQbymKkCVSBAVThkjZIkAR lhlUokxSLqGylo7AkjgLwCF3B6LMTG14pp6pJ42VSWfcxpmp3Dx03KaZgGRHhaR0qI7atFHT OtO66ozzz077UD+kivPQ1E/sb/cOfyhSitOnPhDgt9/e7rffv/32u70dgFgCfb4qM1HNbU48 1+5H9dnSyRy1POqsX93NmZa7phckF17NiWK1xl1pYnUvurl0rno3cmTaD/FMJXcWqtmJuyuO V2PalPnDdtfzvBuPW/mrsgqFx3gdl9oq3iwv6d4BRQTOyczoaD3nzkzW5bzVDB2UVm30lJOR N0fFZsmV3CaymCb3oBqkpl1vW24OeZBs4f3zaKnl2aVNc8HdXUb9nsvJ3prUKCc9q7s7nY8z 58yNxWxdbqvIFZkkKT2t191FzLo9cl+V2qyL29q9++GeEtplJP9KXBkb+BXk/F+Ws1m/D63k xxqlAVpnh5qXHhf8U1V7HL3qozvjZlTH/86qyrnxUcu8G2PoYRbV4mNc2r555ip7L3HP4e4O zbHG2e8l5Kxm75sD8z5/1zhbcrcqdiRJ9z60KPdGBVK/u/rFs1/hZ7r7P9191tlqF7d5Hh1v 1XasCclz8zquzJh2n6/nfylta17eLGHj/X6jRtzdxdq491Q4iOeTCHGeBB7DHn6QhPCsxVAe xdURPCEOAgaIOCU4T2Iu5YD8jZRBvJ16iDwOEKOeIMfwLCBAcP/l7nX/9ztjpS9wn/eq98Pp pRyf1xKc/SmbTnF2xsgaNprYKcPMGaZm60aW5dKJfjam2dovIAoIZmzKSOdFi8XGsxh3dGho 4AiKYD+LpNNsUl9I2Rab5BY3F3kyYupaepIv5NOaWWE7LBuZ2zr8HDctISDYfzzIHjujJ0zD MubtQ5KqvlM2nJmW6C02bWpJntHMy8yYf6jWzOQLumVzkyeZnmU2SM9PsXOazfxs+gybmJ/v Z1o2yXja4oUUyPqrnGCvsWBqudRSfRNnY6ZW0LMLYqwO1x5hk8YcWJ/VEykjrVl9grupJ3SN TWn5bBI2wE3Hg6eMrM0zQjdziVkaPAgn6fMsyS19IdvHHL8kQKXp6MwYJmepfEbLQn2WSGmm loAZuNATFuzQsgx9S8J+HS7PwUCe4JZlQJwwSAP/fCLFdJeVMD6f5ayg2ynphoxhJMVoUYfa NhRJwKlWpc0u8Kytc1AnUMmbS/1MetpY5KaGubZNrtkZdIkBiTzm2xLCxOxxU6own0+nUZW6 QnzGgBA9m8xbtjTVspfSvN4TIlItIYWbGT0rKUzjMthq0D+RhyBnApO6tmCI/kIKPmcpns7B IwZb0Be5JJAhr7E03MEyHL7L6gmQa7kchxuzCQ4hjrt14SzGfwvGZHh6icE2C7GTFjwyelq6 13YXkeXKS2DEHGd5CyElvck/mxfK5hPC/2zegMngCKNsW8QJTDc55t1GaGCaLLhMhicuM9qC 9jk9C9bcTvQ5TsPwpG7l0tqSECFGZ3nBymk5qAaSJFS0dUswFuQ508gYklt/yrZzw4FAoVDo z7gB258wMoGUnUkHMrb4rbNAxrqoCcP7RePHHFDgabRyOeTsxPT40+OnItPjE2fZxNPs18ZP Rc9ORVnk9GQ0eiZ6drplR8uO6RTcWvGacLGYEygKC2zp0S2WmDRGBLKweW6JLRl5MTIhog1+ luvICUsEh4xRzC+WXxbk2oLJuYjEfhbHsJSGMDDmxDLCSHuDMiI6CyKcOCaOC0+bPGFjnufh x5peYgqNBS5J5BRXx2FqEL1zeRusoaaBFVVn0EGrohQCueqK6mARbWxRS+e1OUSYZiFC6kf3 s/NZGbNLFStgk5u5EN4as3I8oSPpbLacwYtZGW1irJZM6iImEJWmzMh9otmUvpWr+z6l0npG FwZBiKQrGOZlywlSGY+y0Sggoebn0rqVEnLAy3F3BoEK/TFVuSXmBK/roY2CpD/G52vGiez1 2Ty3pBjkvQQ3s64Fpqu3JLZSRj6dxBpa1HnBSVebzBd0mEmODJCspbiqjVBLJtaEXZtjYZjm aj2/NVupcnWAu+5dRpCj2cOC4PxUBDeBx44Phg6x0NHjRwYGBwaam8/H0Dhw9OjgIMrQ4yEW euLY0LGhlh0PWHUPXYziKuCqJ9chHlUN+ZAnNuXiEW2JtuDG/wI2AB/IbUOlb0pug8RDoti0 JT1veJY9f+VZA1z33PD8+faR/vaRPtk+0t8+0t8+0t8+0t8+0t8+0t8+0t8+0t8+0t8+0t8+ 0t8+0t8+0v9/eKS/4cm/Vtck/VZ97983hm84E5CnAg/gmZYRXnfd0NlwtCHWcLrhKZRDGySI HPwgLmflmhG5x7E+RUv0jz1ErosHj9m6Xv0sL1k/KL5ruvkV6Satnt3kHmAd4CEqygBgAnAR cAVwFdAo6USLAXgJsAb4qewJe3avfOnxcBno8xKtvpAOykvNuZz9TXm5+utxB5951sFj4w7Z sEN2dNBp7h918ME+B7f3BIsC72gJ3op0eDrIdz3iw5c5lFT5G9JKKVHJm55PkRJA8TS6LWFP ++oBf/DqmqeBUI/iofCpun7LQ1dadgUjO5R15R5pJ6ryX8pPnB7lJ6uP7ApejXxG+TH5BmAN 4FF+jPf7yvvkJeU98f9fUI4ArgLWAG8D7gEalffw/hHeP1R+CKofkABgBHARcBWwBrgHaFJ+ gLJN+b74NLAsRX0EoCjfR9mmfA9mfQ9lq/Iuau8q70K1f1kJDQWvy0pvwK2oPW5l91630t4R LCv/vPLRIbWs/Psq61XfjAwo75ASQIGwd8D8HcIA5wCXADlAI2p3UbtLioAvAt4ElACNGHMX Y+5izB3AdwB3yQAgDDgH8CrfXYGYsvL2in9UjXQo/6T8HdkNp/6j8vcSf0f5lsT/oPytxN8G 7gS+o3xrpVMlkZ3oJxjTBtwGHED/J5S/Xj3Qrq5HdilrcI+KMgAYAUwALgKuABqVNWX/SlJt B5Ob5I6XgHKFfCDxn5Cvekn4BTXsP4UYY6LwDz+FGoqr7KpfCftf/zIuReF/7UuoicL/O7+H mij8n3sZNVH404uoicKffAE1UfgvXERNFP6JadRQlJU/+ssDB9XQxGXKIq1KAV4qwEsFeKlA GpSCeJOPGoRuX1k5fBgeeyPce+iwWrxBi9+kxUla/Cotclp8kRZfpsUnafF5WuylRR8tdtJi mBZv0uNwRZGG/2LD5VB4Dy3eocWv06JFi35a7KHFA7TIaChcVrpWxh+XKCrRakSsK+CnTgZb oWMXPNqFsO7Csl9D+TZgXV6FQcT2O8S/2inw/tXDI851/3DQiDyj3MbA25iG2+RHgAZM0G2E 0W0wEZ9Ob0U5ArgIuAW4B1gHNIJ6PxS/IstWlAHACOAi4CXAPUCjVOceQCGGq+I3pGIBV+kJ caXcxns/3l1KV3hfm6+tt+0ZzxUfbe2kE53rnUqIdIhvJ7Tv8u4q05ZrP2/5n5+3kOZIs/Ka coXsw0R80cVXVj7ap5bpH674b6qRT9E/IJ0NiDo6RPy0B/g4seT1MeLzCjxIfMrXgIMrvudU 8W8B/X3qDfqIGHVN/cj3H+oHvrKC6n/6bqr/xsoNdEX9V7R87Zr6ju9V9duBshct3/SXKdAN Jkmv+46rX78jSV9Gxxsr6osCXVN/23daveyTHdzpeN7CVbhVnfRfUJ8BvzHfnBq2wPOaOuJ7 Xn3SoTomxlxTB6BCr1M9DGUP+aTQ7k7J8HyoTFPhvqbXm2aaJpqeaAo29TV1NalN+5r2Nj3q bfe2eR/xftK7w+v1NnobvIqXeB8V/zalV3y54tHGNvl7lg2ibJD1NkWUivM9E4V6FfIZUvoV T0yJTY3SWOlWgsTmWOm/p7rLdMezF0qf6B6lpfYYiU2Plo73xspN65OlUG+s1HTuN2aWKX0t jtaS8rtlSqZnynRdNL2yt9R+SvzoF931yhf2CvzYK1+Ix8mejsWRPSPtJ3cNPT22RXHJLeu+ nLpnQ31f6fXY1Ezpz/bFS0FRWd8Xj5V+f4rNzlynP6M/jY5dpx8KFJ+57jlJfxadFO2ek2Px eKxMn5N0hNEPQYeI+VDSeTsJE3SEeTsdujccuh6MB90BgUDX3Ex6JF1Pc7Oka6CCbtk6EB1b PnBA0uzG1lPSWLtZPc2dHtD09EiajiK5I2nudBQFTemkJPH5QNLpkyT008QnSXz005LkuRpJ wCV5tUryqpTkoTUan0PT8l6FpuU90PR+3Bcf7e2lqyfiidko745e6o5ywKXS5xdTe0rFOcaW E3HRwUoe/6W5REpgjZfi3XyslOgeY8snZrfonhXdJ7rHlslsdHpmeTbMx1ZOhE9Eu7Wx+Orp c4OhDbJercoaPLcFs3OC2aCQdTq0RXdIdJ8WskJCVkjIOh0+LWURGePnZpa9ZDR+atbBq8rO HYjXS3u74qMdbbmTMnhPdO15ce8NbEjeIjt746VPdo+WWgCi60jkSER0YU2JrkfQ3Op27Xnx RNfeG/Qtt6sNzbu6R0mvnbfyZE9UH3P+LLzQZOeFw52y13rQC33RUlgbs2xCYqXDU7HSyLMX ZpabmtB6SZhUGq607dwZLa/fchr70TgsGj2eKqFoe1K0NTe7hJvnP+9i+e3HonJzlYY7KR7q 4p5SZ2xaQSqYvgBbZy/M3MB2SdwerDgMtGgvtSo8pNrE/XKlsLcCdt6tuX6wXeyMwhCr4o7q C2OQqv4XiO+1OgplbmRzdHJlYW0KZW5kb2JqCgoxNyAwIG9iagoyMTcwOAplbmRvYmoKCjE4 IDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQ0FBQUFBK0FyaWFsTVQK L0ZsYWdzIDQKL0ZvbnRCQm94Wy02NjQgLTMyNCAyMDI3IDEwMzddL0l0YWxpY0FuZ2xlIDAK L0FzY2VudCA5MDUKL0Rlc2NlbnQgLTIxMQovQ2FwSGVpZ2h0IDEwMzcKL1N0ZW1WIDgwCi9G b250RmlsZTIgMTYgMCBSCj4+CmVuZG9iagoKMTkgMCBvYmoKPDwvTGVuZ3RoIDUwOS9GaWx0 ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJxdlM2Om1AMRvc8BcvpYgTXvsCMFEXKJBMpi/6o mT4AgZsUqQFEyCJvXz5/t63URaKDsc25Jk62PewOfTdn36ahOYY5PXd9O4XbcJ+akJ7CpesT J2nbNXO8su/mWo9JttQeH7c5XA/9eVitkuz7cu82T4/0adMOp/Apyb5ObZi6/pI+/dgel+vj fRx/hWvo5zRP1uu0Deelz+d6/FJfQ2ZVz4d2ud3Nj+el5F/Cx2MMqdi1o0oztOE21k2Y6v4S klWer9PVfr9OQt/+d68sWHI6Nz/raUl1S2qel369sBhXAlbGHdiTS3DBHMsvjWUHrpjzCn4h F+BX5lfgDePW/41xBW8ZN96R38HvzMnBe8aXQ61cbuw3YPoLchz8JXdbMP0Vbo7+/gVcMMfi 9C/h5ujv4e/o7+Hv6F/gvI7+HnNw9FfrSX+Fv6N/YT70F/Ohf4Ecob9iDkJ/Rb5w/opnCf0r OEicP/oI51/iuUJ/hb/QX/G+JPob0798A9NfrWf0x3mF/h4zEfqL9Y/zN6a/h7PG+eMdafz9 oFbpL+ipcf6YldJf4Kn0L4zp743j/HFGjf6YldLf470r/cXi0R+/AaV/hfMq/St7Lv3Vaulf wc1Hf8zZ078QW5a4FVgb7PWfdUyb+zQtq2jLbzuI7ev68Pf/YRxGVNnnN3qnA4EKZW5kc3Ry ZWFtCmVuZG9iagoKMjAgMCBvYmoKPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvQmFz ZUZvbnQvQ0FBQUFBK0FyaWFsTVQKL0ZpcnN0Q2hhciAwCi9MYXN0Q2hhciA2NQovV2lkdGhz Wzc1MCA1NTYgMzMzIDU1NiAyNzcgMjc3IDMzMyAyMjIgNTU2IDcyMiA1NTYgNTAwIDUwMCA1 NTYgNTU2IDU1Ngo1MDAgMjc3IDMzMyA1ODMgNzIyIDMzMyA1NTYgMjc3IDY2NiA2MTAgNjEw IDU1NiA1NTYgNjY2IDI3NyA2NjYKNTU2IDU1NiA1NTYgNTU2IDIyMiA1NTYgNTU2IDU1NiA2 NjYgNTAwIDU1NiA1NTYgODMzIDMzMyA1MDAgNjY2CjcyMiA4MzMgMzMzIDU1NiAxOTAgOTQz IDc3NyA1NTYgNzIyIDc3NyA1NTYgMjc3IDU1NiA1MDAgNTU2IDUwMAo3MjIgNzIyIF0KL0Zv bnREZXNjcmlwdG9yIDE4IDAgUgovVG9Vbmljb2RlIDE5IDAgUgo+PgplbmRvYmoKCjIxIDAg b2JqCjw8L0xlbmd0aCAyMiAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEgMTk5MTY+ PgpzdHJlYW0KeJztfHt8VNW1/9pnzyMPhjx4BQLMSYZAIE8CCMRUJiQTwPAIEDCh3iYnMyfJ wCQzziMxFgtea7VBi7eltvYh2Ba1RctkojagLdRf23u1D7Ctre3PCv607xe1attbzdzv3udM HoDW3t/94/f5/JiTtffaa6+99tprrb32OXMYouGYTlNoP3Fye3u00HTGCJ/vELFcb19UffC5 plzg54ns3+gMdfXc9bmbXyBK/wKRNdIVGOj8xcfff4QoKw9j+rp1zffIquypaN+N9lXdIKwf HbCj/R9oL+juid44l61OQ/t3aKcFgl7taroaaNZrKGw92o2h7dkLrWi/ibbaq/Xo730m64dE 2XOJymOhYCTqowVJomsOif5QWA/9ZVHn62g/aurASKqPFRGzyfb/5x/rRwAbyQmYyw9RPlHy JcArgF+NXpt807qHXKO7k+f5NDA/YgJREd1Dh2kBXWBL6Sk6TdfSA1RLTXSI1tEZOk5TaYB9 myzkonp6iIqYkxRqoFnMSvfST+h6CtPP6TwVUyO9yHIhx0Mhmkmrk79G2Uh3JE+AK4Pq6Mt0 kgXYdqoAvl4pZSWY+WDyNM2i4uR3k8+j9Vn6OVuQHKL1wH5BObSI9tG/US7tpmeSIkoWUAc9 yPayX1MBtdMBy3LLYHIPguoxeo41AttEA9bn0x+jAEZ9ns1ip5Pnkr+kr1kY6ZD0r3QHNE7Q aaWc11mPkEoL6T20mTT0vp9+wqaxpdydXJRcm7wX1AfpVaVE+Ra3Q48S2kBtdBfdD2v8iF6h 11kmW8E+y47hepb9wfo8dGukGN2EvfVZWO9BephOsKVsqTJLmQVrzaLFtAN9B+ko5h+ms6yR tbLT7Ov8qLVydE1yenJG8pfJJC2hFmh4mL6OOV5jleDBDLyQRy3zLVFr1Vu3YIU++gydpWeh x4uw++v0V7YE10vKB5R9yeuSDyV/Dl3SyEmraCvtoiD1UT99Dl59ir5Bf2J/V9LBecbyTetN 1gvJj8K2C2ktdN8C7u2QfQBeStAIrh9hlTlMxSpWsc1sG+tiB9k9bIT9hP1EsSkFyg3Kb3ic f5u/YLnKak1WQ9JMmo95XXQddcMDH4C1P4r1PkTfpKfZDLaQlWFFP8L4N5SrlXpcn1fOKC/y 2/hBy5vWD42eH/3t6N+Tg2RHlK2DHWL0JVjhj2wmdFjMdrMIexma3608yqfybO7iK3gtb+at /A5+iP8H/54lbDlm+al1g1WzHrNro72jzyYbkx8kkRVs0GsRldJyWon46UQ07YF+IVxh2ku3 0CB9BPHyUTpCx7DuU/Q0PUc/o9/BA8QKoLMfs/cg6m5jH8F1L3uYfZ19kz3NXmJviEspxFWs XKWsUeqUBqVLuQ3XIeWs8iPlV3wu9/J9fD+u+/jj/CcWslgsSWsVrvXWA9YHbd+2F9vX2zvS vvPm799a8lbrWy+O0uic0feO3jP69dFfJncmB6B/EZVROTS9HVreixg8iutLiMTH6VvI3T+W ur7KFGZFxOcxF6KhFF5bw9axDbg2sa24duC6ju3CpbEO1o1rH9vP/pXdyj7I7mIfl9cnsbaj 7IvscVxfYSdxPcfOsV+w37BXFQSxwhHNRcoipUJZjZXWKeuULco2XF1KEFdICSt98NCDyrBy QvkRn8aLeBnX+A38Xv5l/hT/If+bRbGUWiosNZadli7LrZYzlmctz1v+bnVaPdZu633Wp2z5 tuW2Hbbdtk/ajtt+ZXvTbrM32Tvse+0/tCfTipCt/h3rfmxSyquwnWER63TLjco57Is8HrLe znbAYjalmQf4R/j3rZ3sAlfZT9kg9/M9yc/zBuWvPMh2KqdYIXdaq3kn3UlJdkx5SXlN+aVl BmtWfs2KLf/GvqIEeZ1ik3n1B5YZllutvyJSfkzVys3stPJNfiu/NflVqrbex85Z71OeJdVy XplG57Crb1c+gUHfU/zKAWqxLLf+nfyw+xetN8Le1yh3sCX8h5b76OfcpfyZXWD3IGt8l11r WaC8T1nNjiHjvsXm0+/ZDRRiHyc3e4L9jI0QYw/xB9lGZQq8FVccbCUOu+/yAvZDnkGtQke2 UJnBmpQLyg7+pO0sX4Gj/Sx9n25inFUidlKfUerFDjikLEJO8yCb/IBVUR59Avn+tdEnRca2 Pm89gDi7n5fSNqqkf1G+TdXYGz/H1UIfoio6iRi8gyqVT9Le5H7mQ97fhPyp0AjbTRUsE9ly FnTbh/NiplKIXNiGWf+K/P8Msn4j+wP1MxU76zQVW0TPnRYPMlM78u8BXD76F7Q+Qx+1PWb9 AW1hs4gs6uh9iPIX6H04c17G/HOoBvrtovstpdBaRWa+ASM+M7qe3Lg+RN9mCt0Mna/BPm+y rEfmvSe5Gyv044zaiDPxafInP0F18N225K3JA9SWvD95PXXR9uRDyL99yQRdRbdbW5Wd1hLL cuTYp9k3cB79b3YAeXs9/RT5qIjl0W9wfRkaXWN9ggYtP0buXJO8M/kczYA9CmGhDpyir1AP /QF2W89P07LRzcpQsoGHcEKdo63JB5NOlkHdyQAy75N01G5F7tlP861H3W73mmveU3N19epV K69asXxZ1dLKivKy0pIli4sXLSxa4CosUJ3z583NnzM7b9bM6dNyc7KzpjqmZGakp9ltVgtX GJV6XA3tanxhe9yy0LV+fZlouzQQtAmE9rgKUsNknrjaLtnUyZxucHZexOk2ON1jnCxbraGa slLV41Lj3613qSNs19YW4HfVu1rV+O8lvknid0vcAbygAANUT153vRpn7aon3tDXPehpr4e4 ocyMOlednlFWSkMZmUAzgcVnuUJDbNY1TCLKLE/1kEJpDigVn+Oq98Rnu+qFBnFe5NF88aat LZ76/IKC1rLSOKvzujri5FobzyqRLFQnp4nb6uJ2OY3qF6uhA+pQ6enBO0eyqaO9ZIrP5dOu b4lzrVXMkVOCeevjs256JW+8CeG5dS23T+zN54OePL8qmoODt6vxI1tbJvYWiLK1FTLiSlFD +2ADJr4TJmzcrmIu5bbWlji7DROqYh1iTcbqdJdHUNp3q/F011pX9+DudjhmzmCctg0UJObM cZ9Inqc5HnWwucVVEF+T72rV6ucOTafBbQPDs93q7Mk9ZaVD2TmGWYemZpnIFMdERB/rk5hk F1jjtjG7MqGRawPCIa56VWjS4sKaVolCX0WD3lVgw6eVYVTcB3/44+l17YPZ1aBni/Fxa1G2 Sx18neB/1+9/N5mimRRbUfbrJFARJWOBhv4UHi8piS9ZIgLEXgePQsdrZHtFWWnfiBJ3hbJV VDAfNcG2Wmt1BYxfUCDce2DETR1oxPdvbTHaKnXkJ8hdUdIaV9pFz+lUz4wdomd/qmdseLsL cfyofP6YEU9bOPaXlT1zmqe7Os5mvkO3bvQ3bnc1bt3VonoG203bNjZPahn9q8b6TIwZHTB4 3FIES21wIfS27WoRBPxZixpcHn/7emw16BifVtfC85VWA1PyuRSF+L1+TLJotEwRsixFNhn/ vhF7GgJYUpjaEM9uX2+UrRkFBe9y0Ejyghglq/Fh5pri1SWT21dPak9Sb8ogh8KWhUpj867B wYxJfQ1IVoODDS61YbB9UBtJ7u9wqdmuwRO8hbcMhjztKfePJE8eyI833NmKRXSz6jIc68I3 Vlx4MrbTpiGFPaF8DfeNduVUgqyWEeVrj3LKsAvkMUaz02zWU+hXiLPFlM72sPdRXkn2GzVv 1WzOfq1m01s1tAZ49psollYW5BTkFKFgOBHfVPnpN91W+jvuFk6T8cSqPPu75z79TGtbVs3r abPT5CH9uZfnPTXpuU5ohgfxsSdc1PaCUQ/utGmcMumj2FazuYqBG4/dci48GRhEhbLxHFYL 2d/FszSX1HV8FwkLGPcJZOIMd8+jJq7QVDbXxDmF2RITt9B89hkTt1IeO2niNipk3zdxOz3P XjPxNFqofMfE0+lDyqsmnmHdyW808UwKp33PxKdQZ7rbxB22R9MfMPGpdH32rrG178t+3MQZ ZeWsMHGF7Dn1Js5pdU6jiVvA80ETt9KUnI+ZuI1ycg6buJ0COXETT6NpuXNNPJ3qcitMPEM5 lhs28UxaPWPe2LcSy2bsNHEH3zXjwyY+lcrzXoYmzCKsPmV2jsStwiOz50ncJullErdL+mqJ p0l8g8TThY9mt5o4fDTnOhOHj+bETBw+mnOricNHc143cfgof5qJw0f5JSYOH+VvMnH4aG6R icNHcxtNHD6a+6yJw0eFi0wcPiq818Tho8KkicNHi4clniHWtSRL4pliLUvyJT5F0g0dpkp8 pcSzxVqW1El8GvDcJVslPl3yeCU+Q8oJSnympO+T+Gw59oDE8yWPods8yfNFiTsl/pjEF0j+ r0t8icTPSLxM4j8TeJqh/28lbsz1F4FPkfQSLnG5lhK5xiwRP1SST800gGdNHffdGnlRq/RF QDOekgW+Cc/ovYCoyaXiPjmIJ9OQLDXQ/ZJDBSWA8eXA6iVd+7+UVDGmmYr71yBosTGeiLyz 7jXnW0qrcVXiOdTAqiS1FiMCqLdhTBd0iMpR2yAvAghTH0of5vDjPliXfZtR90ueIGga5Avu LswbQCt8yQqq/8Fo9aLx1bRTzhwZW6nQdBVKVT6n+LGeMHoigE7MsvgfyH87aeOjjDHjI5pg yU3of2e5X5ZeEz7xoa9H6r4HNKHVf9+fKqjCGn7MGpWaC/uraAueqCl1BzRUoacYL74BE/Nt QrkFc3dKvwoNxTgdUiNS925TWvlldDJiKIh5hU4h8A68LZcuY1fw9Uutusbm9Zs7o0zGYlTq EABlwLRDWK5KSC0FZafkj0q6iqc6YT9hyV65JhGjy6SXuuUowy4pK2t4NgvIuaKX7EuhR1ha T5VrEb3aRXZMSU+1U96a6HHDjxulvj7TR73SkhHI1KTcsFxJp7mGfqmrF6WQG5UUTcrySZli h/VKPYSHxN4UPN0mTwQ7oEP66gZghh0C0nYdaHll3OlSr16z7pwQEf1ShwBkC1k9cn9ETale aZkIrk65y9QJPvVKy2gTcoahW8oihte6pJ00OdY3yfcRObcRWar0j09iMWk1XdrlnWNhkWkh v5ThnbAjOiT3O8eJsQMu9d9ECxs26jU17R2jiSwSk1lPNTORTjfKXdcrvdUnZfrNfWjYyKCF 5NiUVY0o6pPZt29sTwhbh825w2Me2jMWcxfvL8MO726PGatbKyPHiOvgmP5GXBp26DXz+WSL GzHnk943ojsmLWxIism1G3M2SVlCYhR0bUJeaZLZulfaxNjP/knRbOTIAalZQI6IyJUGzKjr ln7UzHnDZr4Tq4tIz8cm7R+hrdhxKR1FNKgyKg1/iHV7Za4LjHk4YObRDkBAajdgrjgmc60h qV/2dEtpQVxGzvSavunBGMPW14HPJ2cYMG00MZ90yLF7TF0NCwkLdAFukjwiUibmChHrxhkQ NXuCk3KoT8ZXbJIXU5I1mdODE6T5pP1C0icDkzh90kJhaduUX8vlOR8FfzXuHypgA3GVy6wx MSLLzaxTIfl7IL0CZVRmAqGXaEWoTco2dp2RH8NjZ2T52Mj/2Rn7pSdSOXF8ls3YJc3Y9Q2A OtzbCHwLqGL3NMjsIegeULajFHc/63Cie+S3qILaTA7KkDB+7lx6wqTo3RNyQci08sBYZn53 p+y4r/yml43YSmW/ARmvqTm98l3Q+F3BxCyb0sfYTz0TzjBN7gYjsnpN6ZrUQpdnqhFhIs5b zdnE7uwz83+HzN5+8+Qy5nk7y6TuyfrNE1fsJf+EHDgxyxs7qdOMlsvZK2iuS1hMn5RJU3v2 0vl8ZiYJy50fG8sYHaZnJp6dl8/Aky1lnCWXRsWlM/vNParCcpq8Dx+/S9HkOaHLvHT5uYX1 d5hnpHGmDFziC8NPk+8JjUyoSY1C0rJ+M4u8G5+rZiym8njXhHlF7vBJSxvnsXH6hyc8J5SO cYcnxO34fck7Wyogs4b/opw+Li91XkZk/I3fFaRy3jhnELzGHXRMWlzI7x5bj6HXxOjuMbOk YX9jV4XM+BjPppNj6J1WNB4fG+TaL/Vc6iw07uwiE1ZjnDRe6dXei3wQvsje45LF+oLyXs5n niXivsN4QknlgXfj/ZQ8Y0/q5nk6+VxMybvUj4a1jBVEzbP8cvs45THtIlt3/lPajlv50hm8 5v1bh9maqJFunoRRnD0pCeL5Sbx3Ek8qxXgaFG+VFwNfiSeDVaBWglKJS3xrsoMaTc5K9C5F z3ITX4lniJVy1FW0Ak8UAoT0f+6s+++fjKm+iousN3YeNg+E9E7Nq6tfVJu7dXVTsDcYBUmt C4ZDwbAW9Qd71VDAW67Wa1HtHzBVCGHq9mAgJigRdUMvxi1dvbqyDEVVuVobCKjb/F3d0Yi6 TY/o4T7d1+zv0SPqZr1f3Rbs0Xq36V2xgBZOTVB9Ubdq9lfv1MMRMWlV+aoqtXiT3xsORoKd 0cUX8U9kk13okR1N2zc1X8T7kNoc1nx6jxbeowY733Gdaljv8keielj3qf5eNQrWHdvVJi2q LlSbN6lbOjvLVa3Xp+qBiN7fDbbyMUmwULArrIW6ByaSdLU+rPX7e7vEWD+cUaZuj2q9AX0A OoT9kWBvqbrT740Gw+pGLezTe6Mw67Kq5m5/BLoIlbWOgK5GU77s9IcjUVULhXTN1FGwi1os y1g41rgx2OvDinr1/khIC+nhUrUTM/R3+73dqj+q9msR1adH/F29uq9cVTdE1W5QIrGOiH5D DDoEBtQO3Rvs0dVgry7kCUP0B8MBX0TtCUKBSMzr1SORzlhAqqZ6w7q0YQTShCJYWpe/Vwuo PmP1EbUfxlJ74AY11uvTwxdbYREU8od1r3REx8DFNoEDxtZnKAyNeiG0V2DhYKyrG35R9Ruj em/E36djkbrwKrBQOChUhYn6goE+4YnOWBijw2JBe4TlUv6CDpfxGKZbq0Vg66CQD1tCh17E uak4LOdTvTB3zBsFUywiRjbp4ZAejWkyVpoCWm/UDz/7DTMjIgfUYMCnRqIDcK23WwtrGAtp Ub83onbEDP9oPi0kJEaDapdYh36jVw8ExIIDiNEOf8AfHcDEsVAATP3+aLfaFQwiMqFLsGcA Wl/n9+lwZCxixElHMLgnIhXq0bq0m/y9esSIirCOHRBFI2hEqC/ojRlLFMxaIBKUbD5/JBTQ Bgyir08PR/1ireXd0WiouqKiv7+/vMc0ZDlCp6I72hOo6ImKfxVY0RNpiwrXIR7DYkeWi853 ObBfD4hIlEM2b2ne0LChrrZ5w5bN6pYGdeOGOs/m7R61dt02j2eTZ3OzI8ORIffO2IYReLeM ArgOFkMwX2bLylX5sWRYS4TfQDAmRnqDfTIVGCEr5MBPPXKHaWoAxuoFu9YV1nVhsHK1FcO6 NTgr2BHVYGF4b5IyIpP1Y+Oqul9GoBHycFInzDKuF6wdDXbpRpAKz46NgxOiYT9CBKKhprk7 JwSwqRR2yZgpxgYD19Q+LRCTKUWLRPToxNHl6g7sSOyUgdQqsCYzEyIINTUS0r1+hMilK1dh RRHjXXKs5vP5xT7G9g/LM6FUkMPStjKXXKRUwN/jNyNd8ol9GYkaOVlEniQG+5GgYx0Bf6Rb zANZhrl7EJLQH64KDahGmJoWmjyRtMeGzvHFiV2IZBeR02DTePVwr7mCsKm3ZI50B2PYrGG9 z48DRcTApcsXfPCkjn1q7kXBN7ZGqIUJotjl4z4WC9NMrTsvL1aqPDbAi/zWoacEYR4tWi0Y dmyvxaFSvGr5ysXqyqWryiqXV1amp+9oBLFy6dLly1GuXLZSXXnVitUrVjsy3mbXveNmFK0K Uz25D/GwHJSPmeKxQDwkDjAHbj124xbk1/LGJdWX+vLPZ3xxxz/Fh/hX+SnACX6SP3zlxcqV FytXXqxcebFCV16sXHmxcuXFypUXK1derFx5sXLlxcqVFytXXqxcebFy5cXKlRcr/0++WJn0 7cc4rkn+y/W9dNEYfdL3Isad9+VlBmSET2hb5luWWhot6yzvQbl60gwiB7+dlM1yz4jcY6y+ m8XZ/ZzkvqgFV1ieeUKnt5dweXzs35tTsgDiL/M5kTzNXxr2eKrcI6hLymWdKF5cJTsSc+ZW fZW/pDyMc8IJwrnEzHzZ82Ji7VoTuWqVgQwvKas6V5vBX6Q/AhT+Ij+HOJOjhovLqy7UOkBg /AOUxRg56Qj/GcUBCrn5T4cXLKw6fIp/B/3P8KehqRj2dMKRUwWB/86/Qrnk5I/zx8yex4an 5lRRbYTfRYxOozwLOA+4ALBQkD9I+wAHAccBFspC6QRUALYICj/Gj0HPo+KfsqOsAAQBBwEW auZfAn2PKPlDfDcVYuyd/BDNQH2Af0zWX0A9B/XnQJ+P+n60RX3YbH8atej/lEm/F+2ZqD9p 1p8APR/1PfKH5E7+cbPdx2NyXNSsj/BIYr4zu3Y++lVAJYADOwTsEEx3SDgYJeO38oCcaQh1 Feoeo4a5bk4UuKSPbh6eNbvqCEx6M0x/Myx3Myx3M1nQtTfFs9fgKeN7wbMXPHvBsxdWqeQR zBcRP2VAmQ1QARx2j8Dugh5HeRpwVtI/iPJuwBHR4v2w42Jo9WG+O1HsRJB1Da92V615gnfC 1G7eOTx7XtXB8VZ6hghE1FPNOkvw6rJXH06fIqj68Jx5Rg2uPbVTuZfeD1BoOsoFgOWAeoCF exMLKpwn+WbqSSP3VOc+ZR/fZ9lntVTWs9xTvIqa0gghmcvLqAYMi51tNWxle3oofX86z05X 0yvT3elN6dYg38cPcu7kFXwN38LbuHUkeTphr16Gyr3OVr3s7swjmfHM05lnM61x22nbWdt5 2wWbVbVV2ty2Jlu7LWTbb7vbdsSWfrftbrvSnhnK3J/JszPVzMpMd2ZTptVpZ0dqb+Md4qcM KLMBIcDdAAts3Aa6yt8HaIM32mCK94FOKAmtbMBZ4OdRW9HKAl8W+LJAzQI1S/7+Jkv2NAHa ASGz1zbWkxoj+C+IHsAi9E4FVfx44DzKCwIDXIuWAy0HWg5wnVXehIbZKFVAE4BL2nkAogZl qq/S7G8H2GT/BcmT6nOLscqbbm3R6cUsvpgdWczuXszcNWtqq9yFKHJzc9tcbUVtxW1HLUFX sChYHDxq2eLaUrSleMtRyxrXmqI1xWuOWipcFUUVxRVHLU6Xs8hZ7DxqObjx+MZTG89stLRt DG7ct5GvhOuGEyWVVbIuLBL1Y4nZc6pWZtW+RzmO5bShPAw4B+CUhdIJqACsAQQBVuW4pD4C 6iOgPkJbAG0AK0Y9IlIMSqfZJ+iHZZ/ARL8yqZ9j8Q8nqpdtqd2ItNsGOAzgkP0w+h+W3AZ2 XNLjKM9L+haT/4ikCy4nIDVOJMFdMt3twjbcRWsAbYAQwEpn+HV0DgDpKJ2AEOA4wMJ34bqO X6c8guth5WFe6nYsneGkmTNxfOTmpGXXZitTEAsO9pAsPynLD8tyjSwXuKde63jjWsfXrnV8 6FrHIiBKMQ42BzskywJ3Zq3j0VrHllrH4loHpM2iAnIoM2RpEyX7rSw3y7LUPb3A8bcCx58L HH8qcHy2wHFDgeM9BWLcXOxhhzJdlpmiZPfI8lpZLnRnOh3fcjquczpWOh21DnYfw+y0Vpbz ZZkvSvbqo1n1WZT+BHuV6iGJJWoWO0cUkhVLJmpqUY0mataheitRcx+q/0zUfMz5JPsbk0cb eyOx4BVn7Qz2GttgEe0/m/Wf2AY6hvoC6i7UD1ANK0L9hUTNLYL/8xj/KbQ/R4Vpgv9+apLj DrMNkv5Zc9xnEqUdmPXTidIBzPopKpWzfiJR+gqoH0uUfhjVRxOlAVQHE0VCwd2JmiXO2hzW RQsUweulIkVostGccT0kB1CvMwZ7EqViVL2YYITVJVxLUS0SWj7JXNQkp3MmXHKR88glRcwl l1Q6n4pkPZVlSeUdVCjrtITrFkixPVr0ivMvNU+IhdPrLCtxn/PlJ7G+nWj+H7Yhccz57Alh roTzTOkIK3rc+T3XE85vLhhhOxPO06Ujaeg4VTqisMecQzByHLwKe9x5vLTL+YhL9h51oReu PlxT5vy0a5fz3iK0E85bSp8UalAPVrwT3a2l1zg31hxzNhSNMHS7azCZO8NZ7Qo7V4O8aoRt GD7mXLpgRKhSCRnHHncuwYwLXVKVHStPKivIzmLuUnvU3mHfad9qv9q+zF5mV+3z7HPt09Ny 07LTpqZNSctIS0uzpVnSlDRKmz6SPO8uEb+fm27Llv91hkWUFolnK6JUjJ8SKixNwd6JT+ON SuP2tSye20iNzWvjK0saR+zJbfFVJY3xtKb3tgwx9pFWtOLKHSOMmlsQoIJ0W7740fQJYqzi trvyRb33trtaW1lj/LSXGjvU+BvbsY6MrbviVtfaPJrZtyZvTe41Oasb6i9TtJtlyfgnr2Ti J29e/J7G7S3xL81rjVcJJDmvtTG+Tvzc+oRygxL01J9QQqJqbTnBblJu8GwTdHZTfesYGxUq IbBRjagE2zAVCjYqZMOSbaNkQ5gWeuqHCgsNpqfYBsGE8HlKMnUZshZgCshqEhXYlPm0QMpa oMwXbIgHQ1jWRGFTiGVJYVlTSAqbK5iGiorAUlokWIZWFoFhqGil7D423u0qMtRppSI5TxFr lfMwNs5TbPAgCkweJQ08Jf+TH33tP8HMhrUXfF7xo/d2l0cHtMcP9HXnxfd3qOqQ7wXz1/AL 2zu83aLW9PgLLr0+7nPVq0Oa9zLdXtGtueqHyOtpbhnyuvX6hObWPC6tvnX4gX11jZPm+vDY XHX7LiNsnxBWJ+Z6oPEy3Y2i+wExV6OYq1HM9YD7ATlX47a1rLGpZSiN1rbWXW/Uw0pmBvZD e35B69qZ2aFr5Oa4uiDvA/knLYRjK7OkNT7FtTbuAIiustqyWtGF3Sm6por/1sDsyvvA1QX5 J9lDZlc2yDmutVRCeR5//dhfJBKJCojFSlBGY3mSFsWmLdjeGG8QP8Kuidd44u72+lYm3BEz P3Ut7uxTNWdqlGDNvpqDNYdrjtdYY7FWkHNPFZ4pVNoKg4X7Cg8WHi48XmgTHde3PO6uOVz4 x0IeQzSxKD6eejlnDDX+RDMai4gPYYIIwJiuJFZS11JbSF7c9TLcoZfRNIALsAywHWCl/4Xy B4CXAX8GWOhWlB8DfB4wLCi8jJd58vz1YsbWEpF08njVcOWKqlUjqLVOo96+y6g9m426prYq D3VizbKM2izcgDM6ifIZwE8BvwH8J8DKq3iVFB4zorY1QpESBvUJjagoIiVRVgKECXNHIyUl JEAEODwA1hI2Oe6JRWIEU8AhqMAkqRExLCbq1Oe/AHOAPh4KZW5kc3RyZWFtCmVuZG9iagoK MjIgMCBvYmoKODUwNAplbmRvYmoKCjIzIDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3Iv Rm9udE5hbWUvQkFBQUFBK1RpbWVzTmV3Um9tYW5QU01UCi9GbGFncyA0Ci9Gb250QkJveFst NTY4IC0zMDYgMjAyNyAxMDA2XS9JdGFsaWNBbmdsZSAwCi9Bc2NlbnQgODkxCi9EZXNjZW50 IC0yMTYKL0NhcEhlaWdodCAxMDA2Ci9TdGVtViA4MAovRm9udEZpbGUyIDIxIDAgUgo+Pgpl bmRvYmoKCjI0IDAgb2JqCjw8L0xlbmd0aCAyMjEvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3Ry ZWFtCnicXZBBT8QgEIXv/Io57h420J6bJmbNJj3oGqs/gMK0ktiBTOmh/94pVk08QPJ474M3 6Gv32FHI+oWj6zHDGMgzLnFlhzDgFEhVNfjg8qHK7mablBa235aMc0djbBqlX8VbMm9wevBx wLPSd/bIgSY4vV970f2a0ifOSBmMalvwOMo9TzY92xl1oS6dFzvk7SLIX+BtSwh10dV3FRc9 Lsk6ZEsTqsaYFprbrVVI/p93EMPoPixLspKkMbUp2eN0p/axftqAW5mlSZm9VNgfD4S/35Ni 2qmyvgB9WW11CmVuZHN0cmVhbQplbmRvYmoKCjI1IDAgb2JqCjw8L1R5cGUvRm9udC9TdWJ0 eXBlL1RydWVUeXBlL0Jhc2VGb250L0JBQUFBQStUaW1lc05ld1JvbWFuUFNNVAovRmlyc3RD aGFyIDAKL0xhc3RDaGFyIDEKL1dpZHRoc1s3NzcgMjUwIF0KL0ZvbnREZXNjcmlwdG9yIDIz IDAgUgovVG9Vbmljb2RlIDI0IDAgUgo+PgplbmRvYmoKCjI2IDAgb2JqCjw8L0YxIDI1IDAg Ui9GMiAyMCAwIFIvRjMgMTUgMCBSCj4+CmVuZG9iagoKMjcgMCBvYmoKPDwvRm9udCAyNiAw IFIKL1Byb2NTZXRbL1BERi9UZXh0XQo+PgplbmRvYmoKCjEgMCBvYmoKPDwvVHlwZS9QYWdl L1BhcmVudCAxMCAwIFIvUmVzb3VyY2VzIDI3IDAgUi9NZWRpYUJveFswIDAgNzk0IDU5NV0v R3JvdXA8PC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMg MiAwIFI+PgplbmRvYmoKCjQgMCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVudCAxMCAwIFIvUmVz b3VyY2VzIDI3IDAgUi9NZWRpYUJveFswIDAgNzk0IDU5NV0vR3JvdXA8PC9TL1RyYW5zcGFy ZW5jeS9DUy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMgNSAwIFI+PgplbmRvYmoKCjcg MCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVudCAxMCAwIFIvUmVzb3VyY2VzIDI3IDAgUi9NZWRp YUJveFswIDAgNzk0IDU5NV0vR3JvdXA8PC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0Iv SSB0cnVlPj4vQ29udGVudHMgOCAwIFI+PgplbmRvYmoKCjI4IDAgb2JqCjw8L0NvdW50IDMv Rmlyc3QgMjkgMCBSL0xhc3QgMzEgMCBSCj4+CmVuZG9iagoKMjkgMCBvYmoKPDwvQ291bnQg MC9UaXRsZTxGRUZGMDA1MzAwNkMwMDY5MDA2NDAwNjUwMDIwMDAzMT4KL0Rlc3RbMSAwIFIv WFlaIDAgNTk1IDBdL1BhcmVudCAyOCAwIFIvTmV4dCAzMCAwIFI+PgplbmRvYmoKCjMwIDAg b2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQwMDY1MDAyMDAwMzI+ Ci9EZXN0WzQgMCBSL1hZWiAwIDU5NSAwXS9QYXJlbnQgMjggMCBSL1ByZXYgMjkgMCBSL05l eHQgMzEgMCBSPj4KZW5kb2JqCgozMSAwIG9iago8PC9Db3VudCAwL1RpdGxlPEZFRkYwMDUz MDA2QzAwNjkwMDY0MDA2NTAwMjAwMDMzPgovRGVzdFs3IDAgUi9YWVogMCA1OTUgMF0vUGFy ZW50IDI4IDAgUi9QcmV2IDMwIDAgUj4+CmVuZG9iagoKMTAgMCBvYmoKPDwvVHlwZS9QYWdl cwovUmVzb3VyY2VzIDI3IDAgUgovTWVkaWFCb3hbIDAgMCA3OTQgNTk1IF0KL0tpZHNbIDEg MCBSIDQgMCBSIDcgMCBSIF0KL0NvdW50IDM+PgplbmRvYmoKCjMyIDAgb2JqCjw8L1R5cGUv Q2F0YWxvZy9QYWdlcyAxMCAwIFIKL09wZW5BY3Rpb25bMSAwIFIgL1hZWiBudWxsIG51bGwg MF0KL091dGxpbmVzIDI4IDAgUgo+PgplbmRvYmoKCjMzIDAgb2JqCjw8L0F1dGhvcjxGRUZG MDA2QTAwNjUwMDY2MDA2NjAwMjAwMDY4MDA2RjAwNjQwMDY3MDA2NTAwNzM+Ci9DcmVhdG9y PEZFRkYwMDQ5MDA2RDAwNzAwMDcyMDA2NTAwNzMwMDczPgovUHJvZHVjZXI8RkVGRjAwNEMw MDY5MDA2MjAwNzIwMDY1MDA0RjAwNjYwMDY2MDA2OTAwNjMwMDY1MDAyMDAwMzMwMDJFMDAz ND4KL0NyZWF0aW9uRGF0ZShEOjIwMTIwMzI2MDA0OTU5LTA3JzAwJyk+PgplbmRvYmoKCnhy ZWYKMCAzNAowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMzYyNjggMDAwMDAgbiAKMDAwMDAw MDAxOSAwMDAwMCBuIAowMDAwMDAwNDIzIDAwMDAwIG4gCjAwMDAwMzY0MTIgMDAwMDAgbiAK MDAwMDAwMDQ0MyAwMDAwMCBuIAowMDAwMDAxMTM5IDAwMDAwIG4gCjAwMDAwMzY1NTYgMDAw MDAgbiAKMDAwMDAwMTE1OSAwMDAwMCBuIAowMDAwMDAxOTU4IDAwMDAwIG4gCjAwMDAwMzcx MzEgMDAwMDAgbiAKMDAwMDAwMTk3OCAwMDAwMCBuIAowMDAwMDAzMjE3IDAwMDAwIG4gCjAw MDAwMDMyMzkgMDAwMDAgbiAKMDAwMDAwMzQzMSAwMDAwMCBuIAowMDAwMDAzNzIzIDAwMDAw IG4gCjAwMDAwMDM4ODQgMDAwMDAgbiAKMDAwMDAyNTY3OSAwMDAwMCBuIAowMDAwMDI1NzAy IDAwMDAwIG4gCjAwMDAwMjU4OTMgMDAwMDAgbiAKMDAwMDAyNjQ3MiAwMDAwMCBuIAowMDAw MDI2ODg3IDAwMDAwIG4gCjAwMDAwMzU0NzggMDAwMDAgbiAKMDAwMDAzNTUwMCAwMDAwMCBu IAowMDAwMDM1NzAxIDAwMDAwIG4gCjAwMDAwMzU5OTIgMDAwMDAgbiAKMDAwMDAzNjE2MCAw MDAwMCBuIAowMDAwMDM2MjEzIDAwMDAwIG4gCjAwMDAwMzY3MDAgMDAwMDAgbiAKMDAwMDAz Njc1NiAwMDAwMCBuIAowMDAwMDM2ODc3IDAwMDAwIG4gCjAwMDAwMzcwMTAgMDAwMDAgbiAK MDAwMDAzNzI0MyAwMDAwMCBuIAowMDAwMDM3MzQ1IDAwMDAwIG4gCnRyYWlsZXIKPDwvU2l6 ZSAzNC9Sb290IDMyIDAgUgovSW5mbyAzMyAwIFIKL0lEIFsgPDc4MDhCNUQ1MjY3OTZCODk4 OUVDMUI0Qjk2RUUwODY4Pgo8NzgwOEI1RDUyNjc5NkI4OTg5RUMxQjRCOTZFRTA4Njg+IF0K L0RvY0NoZWNrc3VtIC81RUIxMEJCQTRCOEQzMzdCRThBRTcxNkE4ODU5RkQwQwo+PgpzdGFy dHhyZWYKMzc1ODIKJSVFT0YK --------------070008030908090401070902-- From Jeff.Hodges@KingsMountain.com Mon Mar 26 01:30:02 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E660621F8478 for ; Mon, 26 Mar 2012 01:30:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.882 X-Spam-Level: X-Spam-Status: No, score=-99.882 tagged_above=-999 required=5 tests=[AWL=0.613, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4wxPXShR2FsO for ; Mon, 26 Mar 2012 01:30:02 -0700 (PDT) Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by ietfa.amsl.com (Postfix) with SMTP id 1EC5821F8503 for ; Mon, 26 Mar 2012 01:30:02 -0700 (PDT) Received: (qmail 17894 invoked by uid 0); 26 Mar 2012 08:29:56 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com with SMTP; 26 Mar 2012 08:29:56 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=1P3hpS4CZs2PO34IClV3WFVWeY+hrYQZkqYuLel5HRI=; b=i9Y2u85DecmTZXQH5EQmsDeuXczUok300XFChFjIiwD/JeCNaOertSkB4N+15V+p+a3knNzZWxxY/jbe7H1DnQRN3o1J8EoHq30pXGOFOPbm9Tb+Mmo+YIxKasHLiYvI; Received: from dhcp-5698.meeting.ietf.org ([130.129.86.152]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1SC5JM-0002ay-Fp for websec@ietf.org; Mon, 26 Mar 2012 02:29:56 -0600 Message-ID: <4F702902.1060406@KingsMountain.com> Date: Mon, 26 Mar 2012 01:29:54 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.86.152 authed with jeff.hodges+kingsmountain.com} Subject: Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 08:30:03 -0000 >> I'm not sure how to cleanly and unambiguously define them in terms of >> both token and quoted-string (and retain max-age's basis on >> delta-seconds). Perhaps you could propose how to do this? > > Just define the base grammar for the overall parsing; such as I would appreciate it if you would just plain propose the grammar you believe we should have. thanks, =JeffH From julian.reschke@gmx.de Mon Mar 26 01:41:42 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B543C21F84E7 for ; Mon, 26 Mar 2012 01:41:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.207 X-Spam-Level: X-Spam-Status: No, score=-104.207 tagged_above=-999 required=5 tests=[AWL=-1.608, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmcL7+Clya2W for ; Mon, 26 Mar 2012 01:41:42 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id A04FC21F84AA for ; Mon, 26 Mar 2012 01:41:41 -0700 (PDT) Received: (qmail invoked by alias); 26 Mar 2012 08:41:39 -0000 Received: from mail.greenbytes.de (EHLO [IPv6:::1]) [217.91.35.233] by mail.gmx.net (mp034) with SMTP; 26 Mar 2012 10:41:39 +0200 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1+tX6o+vkytD2IoyKg9+4qYjGwZOwmYX9GzFEcwUP lcjjGNXP2QyRxR Message-ID: <4F702BBE.3060806@gmx.de> Date: Mon, 26 Mar 2012 10:41:34 +0200 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120312 Thunderbird/11.0 MIME-Version: 1.0 To: =JeffH References: <4F702902.1060406@KingsMountain.com> In-Reply-To: <4F702902.1060406@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: IETF WebSec WG Subject: Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 08:41:42 -0000 On 2012-03-26 10:29, =JeffH wrote: > >> I'm not sure how to cleanly and unambiguously define them in terms of > >> both token and quoted-string (and retain max-age's basis on > >> delta-seconds). Perhaps you could propose how to do this? > > > > Just define the base grammar for the overall parsing; such as > > I would appreciate it if you would just plain propose the grammar you > believe we should have. The base grammar in Section 6 is fine (except for the nit about the leading ";" we were already discussing). For the predefined directives, for example, change: 6.1.1. The max-age Directive The REQUIRED max-age directive specifies the number of seconds, after the reception of the STS header field, during which the UA regards the host, from whom the message was received, as a Known HSTS Host (see also Section 8.1.1 "Noting a HSTS Host", below). The delta- seconds production is specified in [RFC2616]. The syntax of the max-age directive is defined as: max-age = "max-age" "=" delta-seconds delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2> Note: A max-age value of zero signals the UA to cease regarding the host as a Known HSTS Host. to 6.1.1. The max-age Directive The REQUIRED max-age directive specifies the number of seconds, after the reception of the STS header field, during which the UA regards the host, from whom the message was received, as a Known HSTS Host (see also Section 8.1.1 "Noting a HSTS Host", below). The syntax of the max-age directive's value (after potential applying quoted-string unescaping) is: max-age-v = delta-seconds delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2> Note: A max-age value of zero signals the UA to cease regarding the host as a Known HSTS Host. So this - states that the given ABNF applies to the value after q-s processing (when needed) - changes the ABNF to specify only the *value* - also we can remove the prose statement about delta-seconds; having it in the ABNF is sufficient Finally, examples should show both variants of the syntax. Best regards, Julian From ynir@checkpoint.com Mon Mar 26 08:09:27 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E94A321F851D for ; Mon, 26 Mar 2012 08:09:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.492 X-Spam-Level: X-Spam-Status: No, score=-10.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMME5oko2-YW for ; Mon, 26 Mar 2012 08:09:27 -0700 (PDT) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id CCB2421F8501 for ; Mon, 26 Mar 2012 08:09:26 -0700 (PDT) Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q2QF9OVs026575 for ; Mon, 26 Mar 2012 17:09:24 +0200 X-CheckPoint: {4F7085D7-0-1B221DC2-5FFFF} Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 26 Mar 2012 17:09:24 +0200 From: Yoav Nir To: "websec@ietf.org WG" Date: Mon, 26 Mar 2012 17:09:22 +0200 Thread-Topic: Issue #41 Thread-Index: Ac0LYm3R7n9kKqNFR0KrH0OT5cN68A== Message-ID: <9896F788-8F89-4483-AB38-D1702578C194@checkpoint.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [websec] Issue #41 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 15:09:28 -0000 Hi It was my review that triggered this, so I'd like to explain my position. There are several things that could be considered failures of the TLS layer= : 1. Revoked certificate 2. No CRL/OCSP response 3. Expired certificate 4. Expired CRL (yes, I know NextUpdate is not expiry=85) 5. Mismatch between hostname and certificate (CN or alt name) 6. Some other things I forgot? I believe we all agree that #1 should be a hard fail. Maybe even in the abs= ence of HSTS. #2 is usually not treated as a failure today - it doesn't tri= gger a warning screen in any browser. I haven't tested this with HSTS, but = I'd be surprised if this causes a hard fail. Same for #4. AFAIK the most common failure cases are #3 and #5. Certificates do expire, = and even some well-run, security conscious site administrators have been kn= own to let them expire.=20 Mismatching domain names is an issue, because two FQDNs might point to the = same server. IMO this is a good argument for a report-only setting, whereas= the expiry is something that will bite you far after your supposedly succe= ssful deployment. I guess my issue with this is because when I read the draft for the first t= ime, I thought this would be a good idea for websites that only do HTTPS an= d do not do HTTP except to redirect to HTTPS. I thought it would allow them= to signal this information, and allow them to defeat HTTP-based MiTM attac= ks. The draft as it stands is not a good fit for this use case, because it = requires more of the administrator than is currently reasonable to expect. I could propose an "HSTS-light" header for this use case, but I don't think= anybody would like to have that.=20 Yoav= From ynir@checkpoint.com Mon Mar 26 08:30:19 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE7A821E80BB for ; Mon, 26 Mar 2012 08:30:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.493 X-Spam-Level: X-Spam-Status: No, score=-10.493 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgBp9xdxT+07 for ; Mon, 26 Mar 2012 08:30:19 -0700 (PDT) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB7721E80CF for ; Mon, 26 Mar 2012 08:30:14 -0700 (PDT) Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q2QFU9BU002270 for ; Mon, 26 Mar 2012 17:30:10 +0200 X-CheckPoint: {4F708AB4-1-1B221DC2-5FFFF} Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 26 Mar 2012 17:30:09 +0200 From: Yoav Nir To: "websec@ietf.org WG" Date: Mon, 26 Mar 2012 17:30:08 +0200 Thread-Topic: Issue #42 Thread-Index: Ac0LZVP2jkXoBiRgQGSqdUNO4CAVXw== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [websec] Issue #42 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 15:30:20 -0000 Hi This is about fetching CRLs from a domain that happens to be the same as th= at of a website.=20 Obviously you can't get a CRL or an OCSP response over HTTPS. Jeff's respon= se was that they should use a different domain name for the CRLs (if they w= ant to deploy HSTS) Obviously, it's too late to change AIA or CDP in existing certificates. But= I think it goes deeper. HSTS affects what the browser is doing. Different = resources from the same domain should all be protected by TLS. But we don't= expect this to affect things that are outside the browser, like email or s= ystem updates. IMO the fetching of CRLs or OCSP responses is not part of th= e browsing, but part of the HTTPS handshake. The fact that some browsers im= plement both is besides the point. Internet Explorer uses an OS library to = do the TLS handshake, including any checking of revocation. In fact getting= the CRL fetch function to apply the HSTS policy would require extra effort= from the browser implementer.=20 I think we should simply say that HSTS does not apply to non-content. Fetch= ing CRLs or browser software updates is not content, and HSTS should not ap= ply to it. Yoav From trac+websec@trac.tools.ietf.org Tue Mar 27 10:43:24 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D23D21F8674 for ; Tue, 27 Mar 2012 10:43:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EUPQjtJzLVI2 for ; Tue, 27 Mar 2012 10:43:23 -0700 (PDT) Received: from gamay.tools.ietf.org (gamay.tools.ietf.org [208.66.40.242]) by ietfa.amsl.com (Postfix) with ESMTP id BB81B21F8673 for ; Tue, 27 Mar 2012 10:43:23 -0700 (PDT) Received: from localhost ([::1] helo=gamay.tools.ietf.org) by gamay.tools.ietf.org with esmtp (Exim 4.77) (envelope-from ) id 1SCaQC-0006r0-80; Tue, 27 Mar 2012 13:43:04 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.12.2 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.12.2, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, tobias.gondrom@gondrom.org X-Trac-Project: websec Date: Tue, 27 Mar 2012 17:43:04 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/42#comment:1 Message-ID: <085.277475f92b732ba314163f70e5ead576@trac.tools.ietf.org> References: <070.4815d0321df1c7e00f76c8e99a03ba9d@trac.tools.ietf.org> X-Trac-Ticket-ID: 42 In-Reply-To: <070.4815d0321df1c7e00f76c8e99a03ba9d@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, tobias.gondrom@gondrom.org, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on gamay.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20120327174323.BB81B21F8673@ietfa.amsl.com> Resent-Date: Tue, 27 Mar 2012 10:43:23 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #42: STS exception for CRL fetching X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2012 17:43:24 -0000 #42: STS exception for CRL fetching Comment (by tobias.gondrom@…): just a personal comment: Just to be complete: CRL fetching does not necessarily mean a complete break of HSTS if CRLs come from the same server. A server could still use HSTS without the subdomain directive and publish the CRLs/OCSP on a different subdomain. Though I admit that would be a significant limitation of HSTS. :-( -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-websec-strict- jeff.hodges@… | transport-sec@… Type: enhancement | Status: new Priority: major | Milestone: Component: strict- | Version: transport-sec | Resolution: Severity: In WG Last | Call | Keywords: | -------------------------+------------------------------------------------- Ticket URL: websec From Jeff.Hodges@KingsMountain.com Wed Mar 28 01:27:12 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3843D21F855A for ; Wed, 28 Mar 2012 01:27:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.145 X-Spam-Level: X-Spam-Status: No, score=-100.145 tagged_above=-999 required=5 tests=[AWL=0.350, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bb1SOEtEQ8k9 for ; Wed, 28 Mar 2012 01:27:11 -0700 (PDT) Received: from oproxy4-pub.bluehost.com (oproxy4.bluehost.com [IPv6:2605:dc00:100:2::a4]) by ietfa.amsl.com (Postfix) with SMTP id 94C9321F8507 for ; Wed, 28 Mar 2012 01:27:11 -0700 (PDT) Received: (qmail 28390 invoked by uid 0); 28 Mar 2012 08:27:10 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 28 Mar 2012 08:27:10 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=2VdG7lzcK3zuo0zyUGONqQXm+MB3YWy2C8UVZuH2hak=; b=lKiDXqk/ggW5NQ1WY7h9mCQ7S3M4CR0OgDgSl5vbnBq6W3tjl+U/wX9+7NpYlPv0DxC/PeAl1PcrlUar6c02IA6ybcGRggd/V+DbvcxbYxHWbFAO0QsEzIw/s5+0+A5M; Received: from dhcp-5698.meeting.ietf.org ([130.129.86.152]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1SCoDl-00046O-6G for websec@ietf.org; Wed, 28 Mar 2012 02:27:09 -0600 Message-ID: <4F72CB5A.5050205@KingsMountain.com> Date: Wed, 28 Mar 2012 01:27:06 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.86.152 authed with jeff.hodges+kingsmountain.com} Subject: [websec] IETF-83 WebSec Session minutes? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2012 08:27:12 -0000 Hi, would whomever was taking (hopefully detailed) minutes of the IETF-83 WebSec Session minutes please post them to the list? if they're still "raw", that's fine, just denote them as such. thanks, =JeffH From alexey.melnikov@isode.com Wed Mar 28 01:39:22 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E63A521F8883 for ; Wed, 28 Mar 2012 01:39:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.578 X-Spam-Level: X-Spam-Status: No, score=-102.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kWSt1a6mlMU for ; Wed, 28 Mar 2012 01:39:22 -0700 (PDT) Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 027BD21F8881 for ; Wed, 28 Mar 2012 01:39:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332923961; d=isode.com; s=selector; i=@isode.com; bh=FuxXeW9imNzxF4Xq+cD1llBpxTLKcp8/637dQb/8EuY=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=QF4Cb7+FhaZa+e5RlhRAnjwufWAomjwYRXK8zGMiOfFvrAIz5CQ6tWj/Zo0rRKkNSHOmYs i7AsIBTb73Ez7oRwuod23uZ2mTey4zQzfm2FgWKnGqX2R9zM7RDU3mCAb0iYJeqq2r156A zp1bIrVsxLEaOcNyfzTZajuxQIlfxFY=; Received: from [130.129.23.230] (dhcp-17e6.meeting.ietf.org [130.129.23.230]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id ; Wed, 28 Mar 2012 09:39:21 +0100 X-SMTP-Protocol-Errors: PIPELINING Message-ID: <4F72CE3C.2060305@isode.com> Date: Wed, 28 Mar 2012 10:39:24 +0200 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 To: =JeffH References: <4F72CB5A.5050205@KingsMountain.com> In-Reply-To: <4F72CB5A.5050205@KingsMountain.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: IETF WebSec WG Subject: Re: [websec] IETF-83 WebSec Session minutes? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2012 08:39:23 -0000 On 28/03/2012 10:27, =JeffH wrote: > Hi, > > would whomever was taking (hopefully detailed) minutes of the IETF-83 > WebSec Session minutes please post them to the list? if they're still > "raw", that's fine, just denote them as such. > Jeff, I am editing Richard Barnes' jabber notes. This might take a few days (don't have time today). From julian.reschke@gmx.de Wed Mar 28 06:36:26 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 615FB21F85F6 for ; Wed, 28 Mar 2012 06:36:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.066 X-Spam-Level: X-Spam-Status: No, score=-104.066 tagged_above=-999 required=5 tests=[AWL=-1.467, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zPs96q9BusD6 for ; Wed, 28 Mar 2012 06:36:22 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id A1BE421E80BF for ; Wed, 28 Mar 2012 06:36:12 -0700 (PDT) Received: (qmail invoked by alias); 28 Mar 2012 13:36:11 -0000 Received: from mail.greenbytes.de (EHLO [IPv6:::1]) [217.91.35.233] by mail.gmx.net (mp039) with SMTP; 28 Mar 2012 15:36:11 +0200 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX18JtJFgZjoJgMPfsWBvFuJM6BZeQYyP8Z8KN8BHiK 0/73E3lDaGsEQT Message-ID: <4F7313C6.8080905@gmx.de> Date: Wed, 28 Mar 2012 15:36:06 +0200 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120312 Thunderbird/11.0 MIME-Version: 1.0 To: =JeffH References: <4F702902.1060406@KingsMountain.com> <4F702BBE.3060806@gmx.de> In-Reply-To: <4F702BBE.3060806@gmx.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: IETF WebSec WG Subject: Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2012 13:36:26 -0000 Here's the promised concrete change proposal: Section 6.1., paragraph 3: OLD: Strict-Transport-Security = "Strict-Transport-Security" ":" *( ";" [ directive ] ) NEW: Strict-Transport-Security = "Strict-Transport-Security" ":" [ directive ] *( ";" [ directive ] ) (fixes the leading ";" problem) Section 6.1., paragraph 12: OLD: Additional directives extending the semantic functionality of the STS header field may be defined in other specifications (which "update" this specification), using the STS directive extension point. NEW: Additional directives extending the semantic functionality of the STS header field can be defined in other specifications (which "update" this specification). (the extension directive extension point was removed earlier on when the ABNF was simplified) Section 6.1.1., paragraph 2: OLD: The syntax of the max-age directive is defined as: NEW: The syntax of the max-age directive's value (after potential quoted- string when applicable) is defined as: Section 6.1.1., paragraph 3: OLD: max-age = "max-age" "=" delta-seconds NEW: max-age-value = delta-seconds (We just define the parameter value ABNF) Section 6.2., paragraph 0: OLD: The syntax of the includeSubDomains directive is defined as: includeSubDomains = "includeSubDomains" 6.2. Examples NEW: (text removed, as the directive is value-less) 6.2. Examples Section 6.2., paragraph 2: OLD: Strict-Transport-Security: max-age=31536000 NEW: Strict-Transport-Security: max-age="31536000" (changed one example to use q-s) Best regards, Julian From appseceu@owasp.org Wed Mar 28 14:50:42 2012 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 503FD21E8097 for ; Wed, 28 Mar 2012 14:50:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.676 X-Spam-Level: X-Spam-Status: No, score=-1.676 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLz4IBlGIEUU for ; Wed, 28 Mar 2012 14:50:41 -0700 (PDT) Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 501F821E801E for ; Wed, 28 Mar 2012 14:50:41 -0700 (PDT) Received: by ghbg16 with SMTP id g16so1244977ghb.31 for ; Wed, 28 Mar 2012 14:50:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:x-gm-message-state :content-type; bh=CdW+SekopqA9mBMDq8ciBZdoE8iejZr2i6DcDqgdX3s=; b=OVaepX4gTfttdQgtgyssew4CkYVmf953821vyUAXluEms7f7reXhzcj0Lu5H6CUQl0 wPeT56iVUDSkHpBpNR+tr9jMfnV3J20CmeGUA3BfWIx25ygg5Fc1ofd2qYSw7RVOZSok 0czax5uR3GGSs/CjPtkjk+mPJxLpoTNvmnLZC2Ndi1xLEyxZi5gT/S2OCiHBZh1W/zIK A4SqNQ6HbK0ZPMr9jCzPrC48IRs14/tfxAWJGSLLNgYazrT8BbxoFuBBY9tqLF/Vnhj1 w4rplreAdHr6IRW0vb74XSrW8Pq0f4ImBJHKjEPI8fdnsBhW9/zmnq0Nm6eYELCLZ85g YDbw== MIME-Version: 1.0 Received: by 10.50.57.133 with SMTP id i5mr614967igq.14.1332971440683; Wed, 28 Mar 2012 14:50:40 -0700 (PDT) Received: by 10.64.20.101 with HTTP; Wed, 28 Mar 2012 14:50:40 -0700 (PDT) Date: Wed, 28 Mar 2012 22:50:40 +0100 Message-ID: From: OWASP AppSec EU To: websec@ietf.org X-Gm-Message-State: ALoCoQk3JY6In2cO64gXHetTg1KR9OblfopuykxdFT6DV1Za65+hIHhH7CdzSQf68LCASFQQuk2u Content-Type: multipart/alternative; boundary=14dae934090d37bcd204bc549901 Subject: [websec] OWASP AppSec Research EU CFP/CFT X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2012 21:52:03 -0000 --14dae934090d37bcd204bc549901 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Colleagues, In 2012, OWASP is holding its Global AppSec Research (EU) Conference in Athens, Greece! The OWASP AppSec Research conference is a premier gathering for Information Security leaders and researchers. It brings together the application security community to share cutting-edge ideas, initiatives and technology advancements. The OWASP AppSec Research 2012 Call for Papers (CFP) is open. Visit the following URL to submit your proposal for the July 12-13, 2012 talks in Athens, Greece: http://www.easychair.org/conferences/?conf=3Dappseceu2012 The final closing date for submissions is Sunday, April 15, 2012. We look forward to receiving submissions for technical presentations, demos or research papers on the following topics: * Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc) * Security in web services, XML, REST, and service oriented architectures * Security in cloud-based services * Security of development frameworks (Struts, Spring, ASP.Net MVC etc) * New security features in platforms or languages * Next-generation browser security * Security for the mobile web * Secure application development (methods, processes etc) and secure coding practices * Business risks of Application Security * Starting and Managing Secure Development Lifecycle Programs. * Privacy Concerns regarding applications and Data Storage * Threat modeling of applications * Vulnerability analysis and application security testing (code review, pentest, static analysis etc) * Countermeasures for application vulnerabilities * Metrics for application security * Application security awareness and education * Securing e-government applications and services * Government Initiatives & Case Studies * OWASP Tools and Projects OWASP AppSec Research 2012 is also currently soliciting training providers for the conference. Visit the following URL to submit your training proposal for the July 10-11, 2012 training days in Athens, Greece: http://www.appsecresearch.org/cft The following conditions apply for people or organizations that want to provide training at the conference: Training provider should provide class syllabus / training materials. Proceeds will be split 60/40 (OWASP/Trainer) for the training class. OWASP will provide the Venue, Marketing with Conference materials, Registration and basic AV. Trainers will cover travel and accommodations for the instructor(s) and all course materials for students OWASP will reserve up to 2 training slots at no cost and the trainer may reserve up to one slot at no cost Price per attendee: 2-Day Class =80990 / 1-Day Class =80495. Trainers can brand training materials to increase their exposure Classes are to be focused around Application Security but are in no way limited to web application security. We will look favourably on laboration-based/hands-on training. We will make the first round of selections, based on the Training proposals we have received by March 30, 2012. We have extended the final closing date for submissions to Sunday, April 15, 2012. Submit proposals to training@appsecresearch.org using the CFT template ( http://www.appsecresearch.org/wp-content/uploads/2012/02/OWASP_CFT_AppSecEU= 2012.doc ). All trainers will be required to submit a Training Instructor Agreement ( http://www.appsecresearch.org/wp-content/uploads/2012/02/OWASP_AppSecEU2012= _Training_Instructor_Agreement.doc ) in order to have their classed scheduled. Additional information can be found at http://www.appsecresearch.org. Please forward to all interested practitioners and colleagues. --14dae934090d37bcd204bc549901 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable
Colleagues,

In 2012, OWASP is holding its Glo= bal AppSec Research (EU) Conference
in Athens, Greece! The OWASP = AppSec Research conference is a premier
gathering for Information= Security leaders and researchers. It brings
together the application security community to share cutting-edge
ideas, initiatives and technology advancements.

<= div>
The OWASP AppSec Research 2012 Call for Papers (CFP) is = open. Visit the
following URL to submit your proposal for the July 12-13, 2012 talks
in Athens, Greece:


The final closing date for submissions is Sunday, April= 15, 2012. We
look forward to receiving submissions for technical= presentations,
demos or research papers on the following topics:=

* Security aspects of new/emerging web technologies/par= adigms=A0(mashups, web 2.0, offline support, etc)
* Security in w= eb services, XML, REST, and service oriented architectures
* Secu= rity in cloud-based services
* Security of development frameworks (Struts, Spring, ASP.Net MVC etc)=
* New security features in platforms or languages
* Ne= xt-generation browser security
* Security for the mobile web
* Secure application development (methods, processes etc) and secure c= oding practices
* Business risks of Application Security
* Starting and Managing Secure Development Lifecycle Programs.
* Privacy Concerns regarding applications and Data Storage
* Thre= at modeling of applications
* Vulnerability analysis and applicat= ion security testing (code=A0review, pentest, static analysis etc)
* Countermeasures for application vulnerabilities
* Metrics for a= pplication security
* Application security awareness and educatio= n
* Securing e-government applications and services
* Government Initiatives & Case Studies
* OWASP Tools and Pro= jects


OWASP AppSec Research 2012 is= also currently soliciting training
providers for the conference.= Visit the following URL to submit your
training proposal for the July 10-11, 2012 training days in Athens,
Greece:


The following conditions apply for people or organizations that want
<= div>to provide training at the conference:

Trainin= g provider should provide class syllabus / training materials.
Proceeds will be split 60/40 (OWASP/Trainer) for the training class.
<= div>OWASP will provide the Venue, Marketing with Conference materials,
Registration and basic AV.=A0

Trainers will = cover travel and accommodations for the instructor(s)
and all course materials for students

OWASP w= ill reserve up to 2 training slots at no cost and the trainer
may= reserve up to one slot at no cost

Price per atten= dee: 2-Day Class =80990 / 1-Day Class =80495.

Trainers can brand training materials to increase their= exposure
Classes are to be focused around Application Security b= ut are in no
way limited to web application security.

We will look favourably on laboration-based/hands-on trainin= g.


We will make the first round of = selections, based on the Training
proposals we have received by M= arch 30, 2012. We have extended the
final closing date for submissions to Sunday, April 15, 2012.

Submit proposals to training@appsecresearch.org using the CFT template
All trainers will be require= d to submit a Training Instructor
in order to have their classed scheduled.

Add= itional information can be found at http://www.appsecresearch.org.

Please forwa= rd to all interested practitioners and colleagues.
--14dae934090d37bcd204bc549901--