From gphemsley@gmail.com  Mon Nov  5 10:02:20 2012
Return-Path: <gphemsley@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EB9521F8428 for <websec@ietfa.amsl.com>; Mon,  5 Nov 2012 10:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level: 
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M2C57ets2Jz5 for <websec@ietfa.amsl.com>; Mon,  5 Nov 2012 10:02:19 -0800 (PST)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id A627521F84D5 for <websec@ietf.org>; Mon,  5 Nov 2012 09:59:56 -0800 (PST)
Received: by mail-wg0-f44.google.com with SMTP id dr13so2917956wgb.13 for <websec@ietf.org>; Mon, 05 Nov 2012 09:59:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=BY3guUgiZwn3NgFHOBVWRwLvi3Pst5ym6qH7sg6kRhk=; b=sR+/m3h8qLGCRQJY6eJnDqGCodSFzzUR0yB3CvkikIk2GxOxTFlFNwytfs4ibgELBu 4HXYFXzvFEsYFSXJCsa9Lrn4FuvQ8zM1GmL4x38LeXqsmcnpUEPS6vc0tesuFI61XeEs EJPTMsVSD6py4Djz0quO7u3Og1W+eiRgFFebZJQSczJWuKZtUFw2FFUwgXp5VXDDgcex 0VDo7Ay01/RKzvDQ92nWhaD8hjl69buS3/pRTlqHX1C+WWbg9bVdoz3uNvHtu0DytLGw UJnV08u2fIjaRimchTmsv/tItVcWDnTyIF7bnfHepkLufGWjjEieBhQuGcHKPKvMc0uv BTtA==
Received: by 10.216.226.216 with SMTP id b66mr3711951weq.155.1352138395487; Mon, 05 Nov 2012 09:59:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.173.206 with HTTP; Mon, 5 Nov 2012 09:59:35 -0800 (PST)
In-Reply-To: <CAH4e3M5+rqf3QPv1pXDA0vR7O9CWsNKzD_P=sWL6Kco=6QHkKw@mail.gmail.com>
References: <CAH4e3M5+rqf3QPv1pXDA0vR7O9CWsNKzD_P=sWL6Kco=6QHkKw@mail.gmail.com>
From: "Gordon P. Hemsley" <gphemsley@gmail.com>
Date: Mon, 5 Nov 2012 12:59:35 -0500
Message-ID: <CAH4e3M6xS8Ep=r8Dpa_m9Y-Zhzy5Hn9C+-vGfCA1XYkOAAtHdA@mail.gmail.com>
To: IETF websec <websec@ietf.org>
Content-Type: multipart/alternative; boundary=00504502dc2bc010a004cdc340ce
Subject: [websec] [mimesniff] Review requested on MIME Sniffing Standard
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 18:02:20 -0000

--00504502dc2bc010a004cdc340ce
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Originally sent to the WHATWG list.

---------- Forwarded message ----------
From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Mon, Nov 5, 2012 at 10:28 AM
Subject: [mimesniff] Review requested on MIME Sniffing Standard
To: whatwg List <whatwg@whatwg.org>


Hey all,

As you might have heard, I have taken over editorship of the MIME Sniffing
Standard from Adam Barth.

As a first step in my editorship, I have taken the opportunity to rewrite
the document in a more procedural and modular way (IMO). The content and
meaning itself is not supposed to have changed, and I need your help to
verify that that is the case:

http://mimesniff.spec.whatwg.org/

In addition, this now means that I am open to hearing your suggestions
about how to improve the document beyond its current (i.e. former)
semantics.

You can file bugs here:

https://www.w3.org/Bugs/Public/enter_bug.cgi?product=3DWHATWG&component=3DM=
IME

As this document was originally an IETF document, there are also old issues
here:

http://trac.tools.ietf.org/wg/websec/trac/query?component=3Dmime-sniff

It's not clear to me which of those remain outstanding on the current
version of the document, and it would be helpful to me if individuals with
a vested interest in them could migrate them to Bugzilla (with updated
descriptions that reflect the current state of the document). This will
ensure that I address them in a timely manner.

Also, it would be helpful if you could mark them as blocking the general
bug here:

https://www.w3.org/Bugs/Public/show_bug.cgi?id=3D19746

And if you want to follow the commits as they happen, you can follow
@mimesniff on Twitter:

https://twitter.com/mimesniff

Thanks!

Gordon

--=20
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/ =E2=80=A2 http://gphemsley.org/blog/



--=20
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/ =E2=80=A2 http://gphemsley.org/blog/

--00504502dc2bc010a004cdc340ce
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Originally sent to the WHATWG list.<br><br><div class=3D"gmail_quote">-----=
----- Forwarded message ----------<br>From: <b class=3D"gmail_sendername">G=
ordon P. Hemsley</b> <span dir=3D"ltr">&lt;<a href=3D"mailto:gphemsley@gmai=
l.com">gphemsley@gmail.com</a>&gt;</span><br>

Date: Mon, Nov 5, 2012 at 10:28 AM<br>Subject: [mimesniff] Review requested=
 on MIME Sniffing Standard<br>To: whatwg List &lt;<a href=3D"mailto:whatwg@=
whatwg.org">whatwg@whatwg.org</a>&gt;<br><br><br>Hey all,<br><br>As you mig=
ht have heard, I have taken over editorship of the MIME Sniffing Standard f=
rom Adam Barth.<br>

<br>As a first step in my editorship, I have taken the opportunity to rewri=
te the document in a more procedural and modular way (IMO). The content and=
 meaning itself is not supposed to have changed, and I need your help to ve=
rify that that is the case:<br>


<br><a href=3D"http://mimesniff.spec.whatwg.org/" target=3D"_blank">http://=
mimesniff.spec.whatwg.org/</a><br><br>In addition, this now means that I am=
 open to hearing your suggestions about how to improve the document beyond =
its current (i.e. former) semantics.<br>


<br>You can file bugs here:<br><br><a href=3D"https://www.w3.org/Bugs/Publi=
c/enter_bug.cgi?product=3DWHATWG&amp;component=3DMIME" target=3D"_blank">ht=
tps://www.w3.org/Bugs/Public/enter_bug.cgi?product=3DWHATWG&amp;component=
=3DMIME</a><br>

<br>As this document was originally an IETF document, there are also old is=
sues here:<br>
<br><a href=3D"http://trac.tools.ietf.org/wg/websec/trac/query?component=3D=
mime-sniff" target=3D"_blank">http://trac.tools.ietf.org/wg/websec/trac/que=
ry?component=3Dmime-sniff</a><br><br>It&#39;s not clear to me which of thos=
e remain outstanding on the current version of the document, and it would b=
e helpful to me if individuals with a vested interest in them could migrate=
 them to Bugzilla (with updated descriptions that reflect the current state=
 of the document). This will ensure that I address them in a timely manner.=
<br>


<br>Also, it would be helpful if you could mark them as blocking the genera=
l bug here:<br><br><a href=3D"https://www.w3.org/Bugs/Public/show_bug.cgi?i=
d=3D19746" target=3D"_blank">https://www.w3.org/Bugs/Public/show_bug.cgi?id=
=3D19746</a><br>

<br>
And if you want to follow the commits as they happen, you can follow @mimes=
niff on Twitter:<br><br><a href=3D"https://twitter.com/mimesniff" target=3D=
"_blank">https://twitter.com/mimesniff</a><br><br>Thanks!<span class=3D"HOE=
nZb"><font color=3D"#888888"><br>

<br>Gordon<br clear=3D"all"><br>
-- <br>Gordon P. Hemsley<br><a href=3D"mailto:me@gphemsley.org" target=3D"_=
blank">me@gphemsley.org</a><br><a href=3D"http://gphemsley.org/" target=3D"=
_blank">http://gphemsley.org/</a> =E2=80=A2 <a href=3D"http://gphemsley.org=
/blog/" target=3D"_blank">http://gphemsley.org/blog/</a><br>



</font></span></div><br><br clear=3D"all"><br>-- <br>Gordon P. Hemsley<br><=
a href=3D"mailto:me@gphemsley.org" target=3D"_blank">me@gphemsley.org</a><b=
r><a href=3D"http://gphemsley.org/" target=3D"_blank">http://gphemsley.org/=
</a> =E2=80=A2 <a href=3D"http://gphemsley.org/blog/" target=3D"_blank">htt=
p://gphemsley.org/blog/</a><br>



--00504502dc2bc010a004cdc340ce--

From Jeff.Hodges@KingsMountain.com  Mon Nov  5 11:30:02 2012
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0699D21F87CE for <websec@ietfa.amsl.com>; Mon,  5 Nov 2012 11:30:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level: 
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IgmjOQNBbM6e for <websec@ietfa.amsl.com>; Mon,  5 Nov 2012 11:30:01 -0800 (PST)
Received: from oproxy11-pub.bluehost.com (oproxy11-pub.bluehost.com [173.254.64.10]) by ietfa.amsl.com (Postfix) with SMTP id 81C9821F8695 for <websec@ietf.org>; Mon,  5 Nov 2012 11:30:00 -0800 (PST)
Received: (qmail 16404 invoked by uid 0); 5 Nov 2012 19:29:19 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy11.bluehost.com with SMTP; 5 Nov 2012 19:29:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default;  h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=AgGtjL+JdpWwVMB44PGsfOh8/QE6bU+7wcK7z9Q7AEk=;  b=OTqITDxcQMNI+SpbD+yzTbEhcaeqEwxZVZwBnvjBXfNUMQAb7wTyBmf5YQToj8OrBEf4uBtYPimGx+yLK9NiXRXh/pRC9iSmbC5glChKAK4AHRO6WXxR4dUxiKMbqkVH;
Received: from [130.129.80.110] (port=39683) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1TVSMJ-0005Or-EM for websec@ietf.org; Mon, 05 Nov 2012 12:29:19 -0700
Message-ID: <5098138E.1010001@KingsMountain.com>
Date: Mon, 05 Nov 2012 11:29:18 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.80.110 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] Preliminary agenda uploaded
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 19:30:02 -0000

HI,

 > We've uploaded the preliminary agenda for the Atlanta meeting.
 >
 > http://www.ietf.org/proceedings/85/agenda/agenda-85-websec
 >
 > IETF-85 WebSec
 > Thursday, November 8, 17:30-18:30
 > ----------------------------------
 > 1. Note Well, Agenda, Note Takers, Blue sheets (5 min)
 > 2. Document Status (5 min)
 > 3. Pinning (20 min)
 >     http://tools.ietf.org/html/draft-ietf-websec-key-pinning-03
 > 4. Future of Frame-Options (10 min)
 >     http://tools.ietf.org/html/draft-gondrom-frame-options-02
 > 5. Security Framework (15 min) - Jeff Hodges
 >     http://tools.ietf.org/html/draft-hodges-websec-framework-reqs-02
 > 6. Open Mike (5 min)


I suggest a modest rearrangement of the agenda since my item, security 
framework, is mostly consciousness-raising and likely to be short, and perhaps 
less than 10min.

I'm not sure of the order between pinning and frame-options, both will likely 
have some non-trivial discussion.

so one shot at yet another agenda update is...


Thursday, November 8, 17:30-18:30
----------------------------------
1. Note Well, Agenda, Note Takers, Blue sheets (5 min)

2. Document Status (5 min)

3. Security Framework (10 min) - Jeff Hodges
     http://tools.ietf.org/html/draft-hodges-websec-framework-reqs-02

4. Pinning (20 min)
     http://tools.ietf.org/html/draft-ietf-websec-key-pinning-03

5. Future of Frame-Options (15 min)
     http://tools.ietf.org/html/draft-gondrom-frame-options-02

6. Open Mike (5 min)




HTH,

=JeffH

From alexey.melnikov@isode.com  Tue Nov  6 08:08:51 2012
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 212E321F89A0 for <websec@ietfa.amsl.com>; Tue,  6 Nov 2012 08:08:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.103
X-Spam-Level: 
X-Spam-Status: No, score=-102.103 tagged_above=-999 required=5 tests=[AWL=-0.496, BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AsMObVYe8yKX for <websec@ietfa.amsl.com>; Tue,  6 Nov 2012 08:08:50 -0800 (PST)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 6E06821F893C for <websec@ietf.org>; Tue,  6 Nov 2012 08:08:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1352218128; d=isode.com; s=selector; i=@isode.com; bh=iZn+mh1vI35DbwBdzA9IYdJERytKP3OEOwX5ICVX6Sg=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=lgN5RF2bAS4hVlmlIqj1l/S2aPh1iBNtD4AANtuN24wR+0Gq4aFLjRYT2g3ea5n68P+XiX 6GwByQQAJPFcrjCm28Iq0VAN94TzlzWaNHWUS6JK1PGf5XlGKH/HmL0TCZvMo60IdC3mmD Unlp5F9f33la2w9Z0CAlhXnQb8xLb1Q=;
Received: from [130.129.18.182] (dhcp-12b6.meeting.ietf.org [130.129.18.182])  by waldorf.isode.com (submission channel) via TCP with ESMTPA  id <UJk2DgBK0seS@waldorf.isode.com>; Tue, 6 Nov 2012 16:08:48 +0000
Message-ID: <50984991.6000601@isode.com>
Date: Mon, 05 Nov 2012 23:19:45 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: IETF WebSec WG <websec@ietf.org>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com> <124AE7B2-5EB7-42E6-A4CA-F89B2AEF43F8@checkpoint.com>
In-Reply-To: <124AE7B2-5EB7-42E6-A4CA-F89B2AEF43F8@checkpoint.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] WGLC for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 16:08:51 -0000

Here is my review (with my co-chair hat off):

[RFC3986] should be a Normative reference (as it is required to 
parse/generate
a valid X-Frame-Options header field).

[RFC6454] is normative, because there is a SHOULD requirement to use it.

In Section 2.1:

   The ALLOW-FROM URI MUST be valid.

I don't know what this mean exactly. Can you elaborate?

2.2.  Backus-Naur Form (BNF)

    The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:

Which makes [RFC0822] Normative.

          X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
                                  ("ALLOW-FROM" ":" URI)

    With URI as defined in [RFC3986]
    [TBD] Or should we use the ABNF (RFC 2234) alternatively to EBNF or
    in addition?

Yes, you should use RFC 5234. This probably means inserting "[WSP]" in 
various
places, but I think that would be much better.


2.3.2.  Browser Behaviour and Processing

    To allow secure implementations, browsers MUST behave in a consistent
    and reliable way.

This is self evident, IMHO, and I don't think it adds much value. How 
exactly
violation or conformance to this MUST be verified? I suggest deleting 
the sentence.


2.4.1.  Example scenario for the ALLOW-FROM parameter

    1.  Inner IFRAME suggests via a querystring parameter what site it
        wants to be hosted by.  This can obviously be specified by an
        attacker, but that's OK.

I blame lack of sleep, but can you explain this to me in more details?

5.  Security Considerations

    The introduction of the http header X-FRAME-OPTIONS does improve the
    protection against Clickjacking, however it is not self-sufficient on
    its own but MUST be used in conjunction with other security measures
    like secure coding and Content Security Policy (CSP)

CSP needs an Informative reference.


From julian.reschke@gmx.de  Tue Nov  6 08:26:10 2012
Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E711321F8A0F for <websec@ietfa.amsl.com>; Tue,  6 Nov 2012 08:26:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2kf6FubZaQxK for <websec@ietfa.amsl.com>; Tue,  6 Nov 2012 08:26:10 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 066BF21F8A12 for <websec@ietf.org>; Tue,  6 Nov 2012 08:26:09 -0800 (PST)
Received: (qmail invoked by alias); 06 Nov 2012 16:26:08 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp069) with SMTP; 06 Nov 2012 17:26:08 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+psz9bf8Cpiz4SNoPEWKimE6ZaTCjmtU4qY5Y/l6 pk8RlNge1AmF+3
Message-ID: <50993A1E.1010205@gmx.de>
Date: Tue, 06 Nov 2012 17:26:06 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com> <124AE7B2-5EB7-42E6-A4CA-F89B2AEF43F8@checkpoint.com> <50984991.6000601@isode.com>
In-Reply-To: <50984991.6000601@isode.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] WGLC for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 16:26:11 -0000

On 2012-11-06 00:19, Alexey Melnikov wrote:
> Here is my review (with my co-chair hat off):
>
> [RFC3986] should be a Normative reference (as it is required to
> parse/generate
> a valid X-Frame-Options header field).
>
> [RFC6454] is normative, because there is a SHOULD requirement to use it.
>
> In Section 2.1:
>
>    The ALLOW-FROM URI MUST be valid.
>
> I don't know what this mean exactly. Can you elaborate?
>
> 2.2.  Backus-Naur Form (BNF)
>
>     The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:
>
> Which makes [RFC0822] Normative.
>
>           X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
>                                   ("ALLOW-FROM" ":" URI)
>
>     With URI as defined in [RFC3986]
>     [TBD] Or should we use the ABNF (RFC 2234) alternatively to EBNF or
>     in addition?
>
> Yes, you should use RFC 5234. This probably means inserting "[WSP]" in
> various
> places, but I think that would be much better.
> ...

Almost.

You should reference HTTPbis Part 1, and, in particular, *only* define 
the ABNF for the field value.

Best regards, Julian

From julian.reschke@gmx.de  Tue Nov  6 09:25:50 2012
Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77FA521F8A60 for <websec@ietfa.amsl.com>; Tue,  6 Nov 2012 09:25:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.599
X-Spam-Level: 
X-Spam-Status: No, score=-105.599 tagged_above=-999 required=5 tests=[AWL=-3.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qou+WGQvY1WE for <websec@ietfa.amsl.com>; Tue,  6 Nov 2012 09:25:49 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id BCD7721F8A49 for <websec@ietf.org>; Tue,  6 Nov 2012 09:25:47 -0800 (PST)
Received: (qmail invoked by alias); 06 Nov 2012 17:25:46 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp040) with SMTP; 06 Nov 2012 18:25:46 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18JOXI1QToJafd2c7L+TVDwrYpZMl+fAbXO3J0McF fCcAeGCBV3eRgr
Message-ID: <50994817.1030503@gmx.de>
Date: Tue, 06 Nov 2012 18:25:43 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
In-Reply-To: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: [websec] WGLC feedback for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 17:25:50 -0000

Hi there,

here's my feedback from the HTTP/editorial point of view:

> Abstract
>
>    To improve the protection of web applications against Clickjacking
>    this standard defines an http response header that declares a policy

s/standard/specification/
s/http response header/HTTP response header field/

>    communicated from a host to the client browser on whether the browser
>    must not display the transmitted content in frames of other web
>    pages.  This drafts serves to document the existing use and

drafts?

>    In 2009 and 2010 many browser vendors ([Microsoft-X-Frame-Options],
>    [CLICK-DEFENSE-BLOG], [Mozilla-X-Frame-Options]) introduced the use
>    of a non-standard http header RFC 2616 [RFC2616] "X-Frame-Options" to

s/http header RFC 2616 [RFC2616]/HTTP [RFC2616] header field/

>    protect against Clickjacking [Clickjacking].  This draft is to
>    document the current use of X-Frame-Options header and shall in the
>    future be replaced by the Frame-Options [FRAME-OPTIONS] standard.

What's supposed to be replaced is the header field, not the spec, right?

> 2. X-Frame-Options Header
>
>
>    The X-Frame-Options HTTP response header indicates a policy whether a

s/header/header field/ throughout.

>    browser MUST NOT allow to render a page in a <frame> or <iframe> .

whitespace...

> 2.1. Syntax
>
>
>    The header field name is:
>    X-Frame-Options
>
>    There are three different values for the header field.  These values
>    are exclusive, that is NOT more than one of the three values MUST be
>    set.

maybe "exactly one"?

>    DENY
>          A browser receiving content with this header MUST NOT display
>          this content in any frame.
>
>    SAMEORIGIN
>          A browser receiving content with this header MUST NOT display
>          this content in any frame from a page of different origin than
>          the content itself.

Reference ORIGIN spec?

>    ALLOW-FROM  (followed by a URI [RFC3986] of a trusted origin)
>          A browser receiving content with this header MUST NOT display
>          this content in a frame from any page with a top-level browsing
>          contex of different origin than the specified origin.  While
>          this can expose the page to risks by the trusted origin, in
>          some cases it may be necessary to allow the framing by content
>          from other domains.
>          For example: X-FRAME-OPTIONS: ALLOW-FROM:
>          https://www.domain.com/

The example needs reformatting.

>    The ALLOW-FROM URI MUST be valid.
>    Any data beyond the domain address (i.e. any data after the "/"
>    separator) is to be ignored.  And the algorithm to compare origins

authority component?

>    from [RFC6454] SHOULD be used to verify a referring page is of the
>    same origin as the content or that the referring page's origin is
>    identical with the ALLOW-FROM URI.
>
>    Wildcards or lists to declare multiple domains in one ALLOW-FROM
>    statement are not permitted.
>
>    Please note that in conflict with [RFC6454], current implementations
>    do not consider the port as a defining component of the origin.
>
> 2.2. Backus-Naur Form (BNF)
>
>
>    The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:
>
>          X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
>                                  ("ALLOW-FROM" ":" URI)

That should reference HTTPbis P1, and just define the field *value, such as:

X-Frame-Options = "DENY"
                 / "SAMEORIGIN"
                 / ( "ALLOW-FROM" OWS ":" OWS URI )
OWS = <HTTPbis P1 ref>
URI = <RFC3986 ref>

Note that this makes the keywords case-insensitive; if this is intended 
it might make sense to call it out. Otherwise, the ABNF needs to be fixed.

> 6.1. Normative References
>
>
>    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
>               Requirement Levels", BCP 14, RFC 2119, March 1997.

I'm pretty sure you need normative references for HTTP, ABNF and URI.

 > ...

Best regards, Julian

From ietf@adambarth.com  Wed Nov  7 13:34:15 2012
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2774C21F8A3E for <websec@ietfa.amsl.com>; Wed,  7 Nov 2012 13:34:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level: 
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9pUwF2DdTYs for <websec@ietfa.amsl.com>; Wed,  7 Nov 2012 13:34:14 -0800 (PST)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id A9A5021F8A14 for <websec@ietf.org>; Wed,  7 Nov 2012 13:34:14 -0800 (PST)
Received: by mail-oa0-f44.google.com with SMTP id n5so2339142oag.31 for <websec@ietf.org>; Wed, 07 Nov 2012 13:34:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type :x-gm-message-state; bh=qHpoET4uGBczQaO7+DFecbiKpBq0tmOFqok3qQCFsCs=; b=Z/p4xzBpjwuPP92Cu5E5BiKmmcxipt7fMuXTkBYKmXuIMSwvWOAKzyjaYIqSqShGL1 zWkXvAMQIwEUldWTyy4NECh4MxEgCuhhkwlJz2VGMlF/Hsxh85YFaE6qYu7HuPhPZJvG wmxvG0CZ7pCMRLANtKLc+18vyOXO9TX3OOzjePtZ3qUYgQfySSgeLXAANIZbonrHU4tl OCWAYElUT2KOABayX/DGnsSztsomHKoq9ROwb0JkaIZdPKPQZ7M6+rwym+BdLb+usd92 YawX3Fn9VoWFzA5R2JpGGGHcfPiw8FVy08hkplhTbc1Zyti6LPzprmbhpbrck8fXoMR1 ySJg==
Received: by 10.60.169.48 with SMTP id ab16mr3270731oec.15.1352324054216; Wed, 07 Nov 2012 13:34:14 -0800 (PST)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id n7sm24710225obd.16.2012.11.07.13.34.11 (version=SSLv3 cipher=OTHER); Wed, 07 Nov 2012 13:34:12 -0800 (PST)
Received: by mail-ob0-f172.google.com with SMTP id v19so2295449obq.31 for <websec@ietf.org>; Wed, 07 Nov 2012 13:34:11 -0800 (PST)
Received: by 10.182.54.103 with SMTP id i7mr3898737obp.62.1352324051102; Wed, 07 Nov 2012 13:34:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.60.8.195 with HTTP; Wed, 7 Nov 2012 13:33:40 -0800 (PST)
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 7 Nov 2012 13:33:40 -0800
Message-ID: <CAJE5ia_1SDRZSF7KQTEB2jSKjHJ4-3=X3mO7dW0nLLosE2VT5w@mail.gmail.com>
To: websec <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQnY/DAlXR8YCXrVJy4Zm2xX+8RlgAhNxy80J2JqGcZn5wBhiYas2/yFOU5h+FWV8mCRZAmj
Subject: [websec] WGLC feedback about allow-from in X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 21:34:15 -0000

In draft-ietf-websec-x-frame-options, we should note that allow-from
is an IE-only extension and is not implemented by any other user
agents.

Adam

From Jeff.Hodges@KingsMountain.com  Thu Nov  8 08:47:07 2012
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AA4B21F8471 for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 08:47:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.349
X-Spam-Level: 
X-Spam-Status: No, score=-102.349 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yH60FMRhDP+0 for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 08:47:06 -0800 (PST)
Received: from oproxy8-pub.bluehost.com (oproxy8-pub.bluehost.com [69.89.22.20]) by ietfa.amsl.com (Postfix) with SMTP id 5EA6221F8433 for <websec@ietf.org>; Thu,  8 Nov 2012 08:47:06 -0800 (PST)
Received: (qmail 4879 invoked by uid 0); 8 Nov 2012 16:46:42 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy8.bluehost.com with SMTP; 8 Nov 2012 16:46:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default;  h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=Cqnd+kdIlvV3un6Z3DClkNaFI73dwGCU7S8dEKuhRbI=;  b=AFcWza1i1rzkcJCT/kMUeRNbdpANH8y7z+eHXq9x0wQMART8Dn2REe/P5fQSMZsYY0WGmVB9Ok1YvbWUgKqsO3eu9qM686WD1RXxirb/I3mF8+PPxam06lc9WP9JK1jN;
Received: from [130.129.80.110] (port=50146) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1TWVFZ-0001vQ-MV for websec@ietf.org; Thu, 08 Nov 2012 09:46:41 -0700
Message-ID: <509BE1F0.4010701@KingsMountain.com>
Date: Thu, 08 Nov 2012 08:46:40 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.80.110 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] WGLC feedback for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 16:47:07 -0000

thanks to Dave and Tobias for writing up this spec.

+1 to other folks' comments on this draft.

I suggest an explicit statement such as..

   The purpose of this specification is to document existing practice.


..should appear in the abstract and the intoduction.

It appears to me that there's various editorial roughness even beyond the prior 
comments that will be caught by the RFC editor (given my recent experience); 
the document would benefit from a thorough editorial pass.

one item I just noticed that's not mentioned by others it seems is that they 
header field name in S4.1.  Registration Template is..

   Header field name: X-Frame-Option

..yet it is referred to as "X-Frame-Options" in the rest of the spec (note the 
final "s" in the latter, but not in the former). It appears from..

http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

..that the latter is the correct form that ought to be registered with IANA ?

I wonder if also a note will be necessary to explain the use of the "X-" prefix 
in light of...

6648 Deprecating the "X-" Prefix and Similar Constructs in Application
      Protocols. P. Saint-Andre, D. Crocker, M. Nottingham. June 2012.


HTH,

=JeffH



From barryleiba.mailing.lists@gmail.com  Thu Nov  8 11:22:22 2012
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF4DD21F8853 for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 11:22:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level: 
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WA1glV248gOr for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 11:22:22 -0800 (PST)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2248321F8808 for <websec@ietf.org>; Thu,  8 Nov 2012 11:22:21 -0800 (PST)
Received: by mail-lb0-f172.google.com with SMTP id k13so2672270lbo.31 for <websec@ietf.org>; Thu, 08 Nov 2012 11:22:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=zvdLQ94iDNk1O8U7961i2DRhmyAdFutR4ZdzB3GkuBQ=; b=JjA3uog99r3+WgfbgAWOZS/JjBsuP7uuYoYUN/p0+7q5a7n36RC0JNsgYcSBlTba78 VSWzgEc0JmeOAiAQNytot+AcQA66p6Xn88otyAm1ng0euqt11FTq7q40nQ5LMAm1F9vb opHVIcrehcfIJRRnE1BlcsWP8Xo2YNYP4XCwHuUSgBtcLGL2UKx8zq7Pb1UqHh5RIqf4 4SxLvdqjacnxnbol2RGxArofo088BZIXsTq/lip/+BtaVzVof8Uk2FSjwKJceFkIoDmx Am+bRP6Rmk0aG4+J37WV+yGADCKBqghDbz93jpld0jmnbmj2R7iXCj+eEzrrm3TQ7/Pa 55PQ==
MIME-Version: 1.0
Received: by 10.112.10.34 with SMTP id f2mr3840886lbb.47.1352402541667; Thu, 08 Nov 2012 11:22:21 -0800 (PST)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.112.54.167 with HTTP; Thu, 8 Nov 2012 11:22:21 -0800 (PST)
In-Reply-To: <509BE1F0.4010701@KingsMountain.com>
References: <509BE1F0.4010701@KingsMountain.com>
Date: Thu, 8 Nov 2012 14:22:21 -0500
X-Google-Sender-Auth: KoBvkDaq7MZ4yjaiYGw-pa2lpJ8
Message-ID: <CAC4RtVB73u==2kW8DudYT1AcWxqCEbQw3f_z0zfq5rvQ_OE8-A@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] WGLC feedback for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 19:22:23 -0000

> I suggest an explicit statement such as..
>
>   The purpose of this specification is to document existing practice.
>
> ..should appear in the abstract and the intoduction.
...
> I wonder if also a note will be necessary to explain the use of the "X-"
> prefix in light of...
>
> 6648 Deprecating the "X-" Prefix and Similar Constructs in Application
>      Protocols. P. Saint-Andre, D. Crocker, M. Nottingham. June 2012.

These are, of course, related, and one statement can cover both.  I
can pretty much guarantee you'll get DISCUSSes from the IESG if you
don't do it.

Barry, as AD

From tobias.gondrom@gondrom.org  Thu Nov  8 11:28:53 2012
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C837721F8944 for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 11:28:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.284
X-Spam-Level: 
X-Spam-Status: No, score=-95.284 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MNVVcMzsfqWG for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 11:28:53 -0800 (PST)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id A34DA21F84DD for <websec@ietf.org>; Thu,  8 Nov 2012 11:28:52 -0800 (PST)
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws; s=default; d=gondrom.org; b=rvNmTLOCMSgO7YgfYa7fr9KWloVhSqxpqwTuI/wXwOotu34kE61o0IpdVN/p4z92g0wQXOOWDYHGNR01RVC+U+/staGk5U3nrOyJGYnBqEUiiB2hT/Zk0fyBMSi5YFZs; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 6083 invoked from network); 8 Nov 2012 20:28:50 +0100
Received: from dhcp-12d4.meeting.ietf.org (HELO ?130.129.18.212?) (130.129.18.212) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 8 Nov 2012 20:28:49 +0100
Message-ID: <509C07EB.5090806@gondrom.org>
Date: Thu, 08 Nov 2012 14:28:43 -0500
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: barryleiba@computer.org
References: <509BE1F0.4010701@KingsMountain.com> <CAC4RtVB73u==2kW8DudYT1AcWxqCEbQw3f_z0zfq5rvQ_OE8-A@mail.gmail.com>
In-Reply-To: <CAC4RtVB73u==2kW8DudYT1AcWxqCEbQw3f_z0zfq5rvQ_OE8-A@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] WGLC feedback for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 19:28:54 -0000

On 08/11/12 14:22, Barry Leiba wrote:
>> I suggest an explicit statement such as..
>>
>>    The purpose of this specification is to document existing practice.
>>
>> ..should appear in the abstract and the intoduction.
> ...
>> I wonder if also a note will be necessary to explain the use of the "X-"
>> prefix in light of...
>>
>> 6648 Deprecating the "X-" Prefix and Similar Constructs in Application
>>       Protocols. P. Saint-Andre, D. Crocker, M. Nottingham. June 2012.
> These are, of course, related, and one statement can cover both.  I
> can pretty much guarantee you'll get DISCUSSes from the IESG if you
> don't do it.

Thank you Jeff for reminding me. Forgot to include them.
Well, as we already have PSA's RFC on that (which btw. inspired XFO, 
both (comment and reference) have been added to the text of working copy 
(released in next version after this week).


>
> Barry, as AD
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec


From stpeter@stpeter.im  Thu Nov  8 11:31:14 2012
Return-Path: <stpeter@stpeter.im>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F9321F84DD for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 11:31:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.513
X-Spam-Level: 
X-Spam-Status: No, score=-102.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHfr6-tis1Ni for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 11:31:13 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 5A10121F84D2 for <websec@ietf.org>; Thu,  8 Nov 2012 11:31:13 -0800 (PST)
Received: from [130.129.84.156] (unknown [130.129.84.156]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 1D23B40062; Thu,  8 Nov 2012 12:35:04 -0700 (MST)
Message-ID: <509C0888.5000406@stpeter.im>
Date: Thu, 08 Nov 2012 14:31:20 -0500
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
References: <509BE1F0.4010701@KingsMountain.com> <CAC4RtVB73u==2kW8DudYT1AcWxqCEbQw3f_z0zfq5rvQ_OE8-A@mail.gmail.com> <509C07EB.5090806@gondrom.org>
In-Reply-To: <509C07EB.5090806@gondrom.org>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: barryleiba@computer.org, websec@ietf.org
Subject: Re: [websec] WGLC feedback for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 19:31:14 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/8/12 2:28 PM, Tobias Gondrom wrote:
> On 08/11/12 14:22, Barry Leiba wrote:
>>> I suggest an explicit statement such as..
>>> 
>>> The purpose of this specification is to document existing
>>> practice.
>>> 
>>> ..should appear in the abstract and the intoduction.
>> ...
>>> I wonder if also a note will be necessary to explain the use of
>>> the "X-" prefix in light of...
>>> 
>>> 6648 Deprecating the "X-" Prefix and Similar Constructs in
>>> Application Protocols. P. Saint-Andre, D. Crocker, M.
>>> Nottingham. June 2012.
>> These are, of course, related, and one statement can cover both.
>> I can pretty much guarantee you'll get DISCUSSes from the IESG if
>> you don't do it.
> 
> Thank you Jeff for reminding me. Forgot to include them. Well, as
> we already have PSA's RFC on that (which btw. inspired XFO, both
> (comment and reference) have been added to the text of working
> copy (released in next version after this week).

I'm happy to look at that text when it is released.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCcCIgACgkQNL8k5A2w/vwkugCfR/41ujZQEe6R1laO/OMRsaD1
QrAAnRSUZkRg4gp5IorUZj9UfyTUq05l
=sBSk
-----END PGP SIGNATURE-----

From bhill@paypal-inc.com  Thu Nov  8 11:50:43 2012
Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2013721F8679 for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 11:50:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJnQPVRtDmj1 for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 11:50:42 -0800 (PST)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com [216.113.175.153]) by ietfa.amsl.com (Postfix) with ESMTP id E445721F8AEA for <websec@ietf.org>; Thu,  8 Nov 2012 11:50:41 -0800 (PST)
DomainKey-Signature: s=paypalcorp; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-Transfer-Encoding:MIME-Version: X-CFilter; b=ja+tDA67Wa5bAGXJU59F4Fhdewt7o3qk+HEL8r/sgmj0uFOPiBsp5fyT rUtMxbpECYSPaPkZ+B5uYhHaeLZSg9I9+xwgccuNomyEYSjyS2RnIvD/F dwym4HxK49+5hJbFhukgJmoe6PBUB+c7JIaSzLi4RPpD+MJ0VdSZz3qBS c=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=paypalcorp; t=1352404242; x=1383940242; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=bdUXhRxu+KEsb/SuWz/ZsbgkPRXBAMGtTGx7xP+qwkU=; b=fL1talGm1HP1Tm2ZgpDNGWyEZ6nC0hmPIu33hga8NWZj+nNJpTH9pez+ N8y1nCnLSGEzX2IZPjy6K5K8UlhOXcN2GPaZ3KWpZ/SscHPw1n1DgxvH5 3EgyBBuTXSdZWxGpDknWZY/pQIEjK6HbZuuQGn949jzTyEW9y9GGagHFY w=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.80,739,1344236400"; d="scan'208";a="11224835"
Received: from den-vtenf-002.corp.ebay.com (HELO DEN-EXMHT-002.corp.ebay.com) ([10.101.112.213]) by den-mipot-002.corp.ebay.com with ESMTP; 08 Nov 2012 11:50:41 -0800
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-002.corp.ebay.com ([fe80::cbe:ffa5:17f0:a24a%14]) with mapi id 14.02.0318.004; Thu, 8 Nov 2012 12:50:40 -0700
From: "Hill, Brad" <bhill@paypal-inc.com>
To: Yoav Nir <ynir@checkpoint.com>, IETF WebSec WG <websec@ietf.org>
Thread-Topic: WGLC for X-Frame-Options
Thread-Index: Ac2xb0zTHb33hMtRQwuRaMJzUgzEDQMeTzPQ
Date: Thu, 8 Nov 2012 19:50:40 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2E4970@DEN-EXDDA-S12.corp.ebay.com>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
In-Reply-To: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.245.27.241]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Subject: Re: [websec] WGLC for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 19:50:43 -0000

In "2.3.1.  Enable HTML content from other domains", the object tag is ment=
ioned in addition to frame and iframe.  This list should also include the a=
pplet and embed tags, although user agent behavior may not be consistent on=
 this.

In "5. Security Considerations", it should be mentioned that current implem=
entations do not check the entire ancestor tree of the protected resource, =
and this may expose the resource to attack in multiply-nested scenarios.  F=
or example, if a resource on origin A embeds untrusted content from origin =
B, that untrusted content can embed another resource from origin A with an =
X-Frame-Options: SAMEORIGIN policy and that check will pass if the user age=
nt only verifies the top-level browsing context.

It should also probably be mentioned that X-Frame-Options MUST be sent as a=
n HTTP header and is explicitly ignored by user agents when declared with a=
 meta http-equiv tag.

-Brad Hill

> -----Original Message-----
> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf
> Of Yoav Nir
> Sent: Tuesday, October 23, 2012 6:40 PM
> To: IETF WebSec WG
> Subject: [websec] WGLC for X-Frame-Options
>=20
> Hi all
>=20
> This is to initiate WGLC for the X-Frame-Options draft (not to be confuse=
d
> with the Frame-Options draft).
>=20
> Please go to http://tools.ietf.org/html/draft-ietf-websec-x-frame-options=
-01,
> read the draft and send comments.
>=20
> As usual, we would very much like to hear comments about clarity,
> thoroughness and applicability. Since this draft documents existing behav=
ior,
> rather than prescribing future behavior, we would especially like to hear=
 from
> people familiar with current implementations that support the X-Frame-
> Option header about whether the draft accurately describes the behavior o=
f
> those implementations.
>=20
> WGLC is usually for two weeks. However, the following two weeks include a=
n
> IETF meeting, so I am extending this period to a little over three weeks.=
 WGLC
> will end on Friday, November 16th. Please send your comments early, so th=
at
> we might use our session in Atlanta to discuss issues that come up.
>=20
> Yoav
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec

From trac+websec@trac.tools.ietf.org  Thu Nov  8 14:01:23 2012
Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC3721F8836 for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 14:01:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqS6LH2ipFn3 for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 14:01:22 -0800 (PST)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [77.72.230.30]) by ietfa.amsl.com (Postfix) with ESMTP id B3B0221F880A for <websec@ietf.org>; Thu,  8 Nov 2012 14:01:21 -0800 (PST)
Received: from localhost ([127.0.0.1]:43300 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.77) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1TWa9x-0003ph-HL; Thu, 08 Nov 2012 23:01:13 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: "websec issue tracker" <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.12.2
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.2, by Edgewall Software
To: palmer@google.com
X-Trac-Project: websec
Date: Thu, 08 Nov 2012 22:01:13 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/56
Message-ID: <058.f40b082eeef2f8676dd01f9fbb11ca5b@trac.tools.ietf.org>
X-Trac-Ticket-ID: 56
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: palmer@google.com, sleevi@google.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Cc: websec@ietf.org, sleevi@google.com
Subject: [websec]  #56: Specify includeSubdomains directive for HPKP
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 22:01:23 -0000

#56: Specify includeSubdomains directive for HPKP

 Example:

 Google.com PKP = key A, key B, includesubdomains
 WWW.Google.com PKP = key C

 Effective PKP?

 1) A, B, C (union)
 2) C (most specific)
 3) none (intersection)

 We think (2) is best.

-- 
-------------------------+-------------------------------
 Reporter:  palmer@…     |      Owner:  palmer@…
     Type:  defect       |     Status:  new
 Priority:  major        |  Milestone:
Component:  key-pinning  |    Version:
 Severity:  -            |   Keywords:  includeSubdomains
-------------------------+-------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/56>
websec <http://tools.ietf.org/websec/>


From trac+websec@trac.tools.ietf.org  Thu Nov  8 14:01:30 2012
Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7A2B21F898E for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 14:01:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B3UPwTrhUQ9O for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 14:01:30 -0800 (PST)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [77.72.230.30]) by ietfa.amsl.com (Postfix) with ESMTP id 66F1621F880A for <websec@ietf.org>; Thu,  8 Nov 2012 14:01:30 -0800 (PST)
Received: from localhost ([127.0.0.1]:43323 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.77) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1TWaAD-0000Ml-Pd; Thu, 08 Nov 2012 23:01:29 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: "websec issue tracker" <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.12.2
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.2, by Edgewall Software
To: palmer@google.com
X-Trac-Project: websec
Date: Thu, 08 Nov 2012 22:01:29 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://tools.ietf.org/wg/websec/trac/ticket/56#comment:1
Message-ID: <073.d40b91d81cbf3caf09f91a3f886f6120@trac.tools.ietf.org>
References: <058.f40b082eeef2f8676dd01f9fbb11ca5b@trac.tools.ietf.org>
X-Trac-Ticket-ID: 56
In-Reply-To: <058.f40b082eeef2f8676dd01f9fbb11ca5b@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: palmer@google.com, sleevi@google.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Cc: websec@ietf.org, sleevi@google.com
Subject: Re: [websec] #56: Specify includeSubdomains directive for HPKP
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 22:01:31 -0000

#56: Specify includeSubdomains directive for HPKP

Changes (by palmer@…):

 * status:  new => assigned


-- 
-------------------------------+-----------------------
 Reporter:  palmer@…           |       Owner:  palmer@…
     Type:  defect             |      Status:  assigned
 Priority:  major              |   Milestone:
Component:  key-pinning        |     Version:
 Severity:  -                  |  Resolution:
 Keywords:  includeSubdomains  |
-------------------------------+-----------------------

Ticket URL: <http://tools.ietf.org/wg/websec/trac/ticket/56#comment:1>
websec <http://tools.ietf.org/websec/>


From alexey.melnikov@isode.com  Thu Nov  8 17:09:14 2012
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A29221F853D for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 17:09:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.528
X-Spam-Level: 
X-Spam-Status: No, score=-102.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDvmwQ2Sn4gG for <websec@ietfa.amsl.com>; Thu,  8 Nov 2012 17:09:13 -0800 (PST)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 3175521F841B for <websec@ietf.org>; Thu,  8 Nov 2012 17:09:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1352423351; d=isode.com; s=selector; i=@isode.com; bh=GMLyVjLYzyq+kIsBX23Q1w5iBEPwQCvSN4fpl0gHr+0=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=sR+DRi815Bnr9Psli0T+iSDNNCB9vVroM1wcfioAr0GqiUZ4pHA/BogC6M8OZfaWhvVUbM ccJijqQM1NKMTMihY2Kix0u9H8HHqXzU+wjY+meWL5PbMh18eERe3uNGi1VyEJ7z9a+Wvl N+BPxFm2Ae2Tg5gtj5JeTooRmN3lhTs=;
Received: from [130.129.18.182] (dhcp-12b6.meeting.ietf.org [130.129.18.182])  by waldorf.isode.com (submission channel) via TCP with ESMTPA  id <UJxXtgBK0n1O@waldorf.isode.com>; Fri, 9 Nov 2012 01:09:11 +0000
Message-ID: <509C57C2.5010205@isode.com>
Date: Fri, 09 Nov 2012 01:09:22 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: IETF WebSec WG <websec@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [websec] Transfer of draft-ietf-websec-frame-options-00.txt ownership to W3C
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2012 01:09:14 -0000

Hi,
Today during the face-to-face WebSec meeting in Atlanta there was rough 
consensus of the room that it would be better to finish this work in 
W3C. If you have objections to the fact, in particularly if you think 
there are good reasons not to do that, please reply to this message or 
email WG chairs directly at websec-chairs@tools.ietf.org.

Thank you,
Alexey, as a WebSec co-chair.


From ynir@checkpoint.com  Tue Nov 13 13:25:22 2012
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8E421F844E for <websec@ietfa.amsl.com>; Tue, 13 Nov 2012 13:25:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.576
X-Spam-Level: 
X-Spam-Status: No, score=-10.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eogWCfZAS6UU for <websec@ietfa.amsl.com>; Tue, 13 Nov 2012 13:25:21 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1F07F21F844B for <websec@ietf.org>; Tue, 13 Nov 2012 13:25:20 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qADLPKG9008218 for <websec@ietf.org>; Tue, 13 Nov 2012 23:25:20 +0200
X-CheckPoint: {50A2B7C0-3-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.194]) by IL-EX10.ad.checkpoint.com ([169.254.2.194]) with mapi id 14.02.0318.004; Tue, 13 Nov 2012 23:25:19 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: Meeting minutes uploaded
Thread-Index: AQHNweVhfA8IHyCfL0GqisH3wSMBcw==
Date: Tue, 13 Nov 2012 21:25:18 +0000
Message-ID: <4613980CFC78314ABFD7F85CC30277210157DE@IL-EX10.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [172.31.21.170]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11926941405aa09467a71868e562211d3adeeb54c6
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B1D80299D4AE6B47BF07E9014BF4D720@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [websec] Meeting minutes uploaded
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2012 21:25:22 -0000

Hi all

I've uploaded the minutes. Please reply to this message for any corrections=
. The minutes are here:
http://www.ietf.org/proceedings/85/minutes/minutes-85-websec

Thanks again to Cyrus for taking the notes.

Yoav


From ynir@checkpoint.com  Wed Nov 14 00:09:37 2012
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5048021F86AD for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 00:09:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCZ+hSGRVaqF for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 00:09:36 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id D6D3F21F85A4 for <websec@ietf.org>; Wed, 14 Nov 2012 00:09:34 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qAE89UMQ024831 for <websec@ietf.org>; Wed, 14 Nov 2012 10:09:30 +0200
X-CheckPoint: {50A34EB6-1-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.194]) by IL-EX10.ad.checkpoint.com ([169.254.2.194]) with mapi id 14.02.0318.004; Wed, 14 Nov 2012 10:09:29 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: WGLC for X-Frame-Options
Thread-Index: Ac2xb0zTHb33hMtRQwuRaMJzUgzEDQQv02sA
Date: Wed, 14 Nov 2012 08:09:29 +0000
Message-ID: <4613980CFC78314ABFD7F85CC3027721015E74@IL-EX10.ad.checkpoint.com>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
In-Reply-To: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [91.90.139.85]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11af8b1d98a356cb9215df355922dbefed55f6be47
Content-Type: text/plain; charset="us-ascii"
Content-ID: <F402EF8D1AE1B74A993B1C42AA7278F0@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [websec] WGLC for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 08:09:37 -0000

Reminder: WGLC ends this Friday. Please send in your reviews.

On Oct 24, 2012, at 12:39 AM, Yoav Nir wrote:

> Hi all
>=20
> This is to initiate WGLC for the X-Frame-Options draft (not to be confuse=
d with the Frame-Options draft).
>=20
> Please go to http://tools.ietf.org/html/draft-ietf-websec-x-frame-options=
-01, read the draft and send comments.
>=20
> As usual, we would very much like to hear comments about clarity, thoroug=
hness and applicability. Since this draft documents existing behavior, rath=
er than prescribing future behavior, we would especially like to hear from =
people familiar with current implementations that support the X-Frame-Optio=
n header about whether the draft accurately describes the behavior of those=
 implementations.
>=20
> WGLC is usually for two weeks. However, the following two weeks include a=
n IETF meeting, so I am extending this period to a little over three weeks.=
 WGLC will end on Friday, November 16th. Please send your comments early, s=
o that we might use our session in Atlanta to discuss issues that come up.
>=20
> Yoav


From stpeter@stpeter.im  Wed Nov 14 09:31:20 2012
Return-Path: <stpeter@stpeter.im>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A25021F85F3 for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 09:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.484
X-Spam-Level: 
X-Spam-Status: No, score=-102.484 tagged_above=-999 required=5 tests=[AWL=0.115, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GNfHyHSLYf7a for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 09:31:19 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id ADF0621F857D for <websec@ietf.org>; Wed, 14 Nov 2012 09:31:19 -0800 (PST)
Received: from [64.101.72.39] (unknown [64.101.72.39]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id CFC7940062 for <websec@ietf.org>; Wed, 14 Nov 2012 10:35:29 -0700 (MST)
Message-ID: <50A3D56A.9000000@stpeter.im>
Date: Wed, 14 Nov 2012 10:31:22 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
In-Reply-To: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] WGLC for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 17:31:20 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/23/12 4:39 PM, Yoav Nir wrote:

> This is to initiate WGLC for the X-Frame-Options draft

Lacking time for a thorough review, I'll provide only a few small
suggestions (take them or leave them as you will)...

Abstract

"this standard defines" => "this document defines"

Introduction

OLD
This draft is to document the current use of X-Frame-Options header
and shall in the future be replaced by the Frame-Options
[FRAME-OPTIONS] standard.

NEW
This specification provides informational documentation about the
current definition and use of the X-Frame-Options header.  Given that
the "X-" construction is deprecated [RFC6648], the X-Frame-Options
header will in the future be replaced by the Frame-Options
[FRAME-OPTIONS] header.

[note: I'm not sure if the migration from X-Frame-Options to
Frame-Options is really motivated by the considerations in RFC 6648,
thus you might not want to include the first clause of the second
sentence above]

IANA Considerations

Does this header really belong in the permanent registry, given that
there are already plans to deprecate it?

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCj1WoACgkQNL8k5A2w/vyW7wCg7HyBtBin75GMTLNdcbrzmN8F
9AkAnRr82AN+gGg/KwVLj5EQ8pqeVLJW
=r3Hk
-----END PGP SIGNATURE-----

From Jeff.Hodges@KingsMountain.com  Wed Nov 14 10:33:27 2012
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC9A121F852D for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 10:33:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.265
X-Spam-Level: 
X-Spam-Status: No, score=-102.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJZFr6Acg1QN for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 10:33:27 -0800 (PST)
Received: from oproxy7-pub.bluehost.com (oproxy7-pub.bluehost.com [67.222.55.9]) by ietfa.amsl.com (Postfix) with SMTP id EA15521F87A6 for <websec@ietf.org>; Wed, 14 Nov 2012 10:33:26 -0800 (PST)
Received: (qmail 7592 invoked by uid 0); 14 Nov 2012 18:33:03 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy7.bluehost.com with SMTP; 14 Nov 2012 18:33:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default;  h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=cX8VJ3QOspl+T84m6MyjF8xxJFWB2U+KNF2Il0YGq4I=;  b=UND83RgvaCbts+Igc6vc2XT7ke7M5qXqvPpIUURYwDTfyzNgGQGF2AYpTZV2vXKdFhrIr2gK3jljYwGAZTOxAtsmBO82umfXk2UgF71vTUERCRAV6ftbq+IDRc40mR9X;
Received: from [216.113.168.128] (port=14771 helo=[10.244.136.180]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1TYhlm-0001cd-Qg for websec@ietf.org; Wed, 14 Nov 2012 11:33:02 -0700
Message-ID: <50A3E3E0.7020708@KingsMountain.com>
Date: Wed, 14 Nov 2012 10:33:04 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] Meeting minutes uploaded
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 18:33:27 -0000

 > I've uploaded the minutes. Please reply to this message for any correc=
tions.
 > The minutes are here:
 > http://www.ietf.org/proceedings/85/minutes/minutes-85-websec
 >
 > Thanks again to Cyrus for taking the notes.

thanks to Yoav & Cyrus doin' up the minutes.

For convenience, here they are directly and in plain text...

###

WebSec Minutes

IETF-85 Atlanta
=09
The WebSec working group met on Thursday, November 8th at 17:30 for 1 hou=
r.

Cyrus Daboo scribed on Jabber (thanks, Cyrus!)

HSTS is now in the RFC Editor's queue, and should be published soon.
The chairs also reminded the participants of X-Frame-Options that is
now in WGLC. We've had some good reviews, but more would be better.

Gordon Hemsley (not present) had taken on writing a mime-sniffing
document at  WHAT-WG. This has been a charter item in WebSec, but we
have not done any work on this for over a year. The W3C has documents
referencing the mime-=AD? sniffing document. Nobody in the group objected=

to having this move to WHAT-WG, and according to Larry Manister, the
W3C is also fine with referencing the WHAT-=AD?WG document, so the work
item will be removed from our charter.

Similarly, the WebAppSec group at W3C has asked to have the
Frame-Options  document move to them as part of a UI-Safety document
which they are in the  process of writing. Brad Hill argued for moving
it, while Tobias Gondrom argued  against. While there are some
technical concerns about the solution in W3C,  those can also be
debated and resolved in W3C. As there was little objection to  the
move, this work item will also be removed from our charter after the
chairs  handle the move through the liaisons.

Jeff Hodges presented his security framework draft. This is part of our
charter, but no document has so far been adopted. The feeling in the
room was that there would be consensus to adopt this, and we will take
it to the list after Jeff submits the next revision. 4 people raised
their hands when asked who would be willing to review the draft. That
is not a lot, but I was not counting chairs / ADs.

Ryan Sleevi presented on the progress on cert-pinning. There are some
open issues that should be discussed on the list. The two most sticky
among them are  the issue of UA behavior in the face of a TLS proxy
(issue #53), and interaction  between this and HSTS (also in the face
of a TLS proxy). Ryan said that he and the authors had more time to
spend on this document now, so hopefully progress will be swifter.

Alexey announced that he would be stepping down as WG chair.

###





From masinter@adobe.com  Wed Nov 14 17:02:47 2012
Return-Path: <masinter@adobe.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214D721F87B4 for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 17:02:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.899
X-Spam-Level: 
X-Spam-Status: No, score=-102.899 tagged_above=-999 required=5 tests=[AWL=-1.900, BAYES_50=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uaty5p1sFXZg for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 17:02:46 -0800 (PST)
Received: from exprod6og123.obsmtp.com (exprod6og123.obsmtp.com [64.18.1.241]) by ietfa.amsl.com (Postfix) with ESMTP id 2B6E721F87A5 for <websec@ietf.org>; Wed, 14 Nov 2012 17:02:46 -0800 (PST)
Received: from outbound-smtp-2.corp.adobe.com ([193.104.215.16]) by exprod6ob123.postini.com ([64.18.5.12]) with SMTP ID DSNKUKQ/NAfyOj9P3vPXAfxg/kSQ0p4C9mdP@postini.com; Wed, 14 Nov 2012 17:02:46 PST
Received: from inner-relay-4.eur.adobe.com (inner-relay-4b [10.128.4.237]) by outbound-smtp-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id qAF12iHP024249; Wed, 14 Nov 2012 17:02:44 -0800 (PST)
Received: from nahub01.corp.adobe.com (nahub01.corp.adobe.com [10.8.189.97]) by inner-relay-4.eur.adobe.com (8.12.10/8.12.9) with ESMTP id qAF12gXL012931; Wed, 14 Nov 2012 17:02:43 -0800 (PST)
Received: from nambxv01a.corp.adobe.com ([10.8.189.95]) by nahub01.corp.adobe.com ([10.8.189.97]) with mapi; Wed, 14 Nov 2012 17:02:42 -0800
From: Larry Masinter <masinter@adobe.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>, IETF WebSec WG <websec@ietf.org>
Date: Wed, 14 Nov 2012 17:02:41 -0800
Thread-Topic: [websec] Meeting minutes uploaded
Thread-Index: Ac3Clo3DZJUNRcNMRwiiRtL9lUInrAANEvpw
Message-ID: <C68CB012D9182D408CED7B884F441D4D1E36EF3456@nambxv01a.corp.adobe.com>
References: <50A3E3E0.7020708@KingsMountain.com>
In-Reply-To: <50A3E3E0.7020708@KingsMountain.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [websec] Meeting minutes uploaded
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 01:02:47 -0000

Re Mime sniffing, the minutes reported:

> Nobody in the group objected
> to having this move to WHAT-WG, and according to Larry Manister, the
> W3C is also fine with referencing the WHAT-?WG document, so the work
> item will be removed from our charter.

I did not say this. What I said in the meeting was that I had no objection =
to the working group dropping the work in the IETF.

To elaborate:
* I think dropping the work is the logical action if none of the implemento=
rs are willing to do the work in the IETF.

* I do not speak for W3C and what the W3C is "Fine with".
* However, I believe W3C management is concerned about insuring stable  nor=
mative references in W3C specs, but they will deal with those.

Larry


From hallam@gmail.com  Wed Nov 14 17:54:00 2012
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2529821F84D5 for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 17:54:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.61
X-Spam-Level: 
X-Spam-Status: No, score=-3.61 tagged_above=-999 required=5 tests=[AWL=-1.252,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRYOUVHFSOGR for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 17:53:58 -0800 (PST)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9C34921F84C4 for <websec@ietf.org>; Wed, 14 Nov 2012 17:53:58 -0800 (PST)
Received: by mail-oa0-f44.google.com with SMTP id n5so1233496oag.31 for <websec@ietf.org>; Wed, 14 Nov 2012 17:53:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=k4YQHe012Qya8BOKesdUUzYSbgkdG1kFfVl/mBy8lqU=; b=Z1SiNjetFclSGFl0WO0l7En6lrP6b1F17ek6OaSDqdxaRZ0cbacwmBN6OU/wVHekAC b7G9d4vp6exAlnhJ2Daz2hkJZogze/C6htBDIhKgNZthjcDNPYsIj7Udf/x9XsN1enqI dsHkUN2REYJw8BFeZxznCPpYKqqQz95ArTIzw/JhXz+cmZ3nalFHNwVu4d4kL0vr4RVE yabm1GDJeXOsqKrnC/gWzWeEGBC2LYzNwVP9bt3fu4oRMJ6C4eeZHUwHYrJMSKqXER0g NwRvEp+IOhH2955DU8P7MtI3oQShrsAEc2CxR9wWxm7G7kEeR68MTGdLgNf+B8SjEdbs vn/w==
MIME-Version: 1.0
Received: by 10.60.28.42 with SMTP id y10mr21225195oeg.24.1352944438123; Wed, 14 Nov 2012 17:53:58 -0800 (PST)
Received: by 10.76.27.103 with HTTP; Wed, 14 Nov 2012 17:53:57 -0800 (PST)
Date: Wed, 14 Nov 2012 20:53:57 -0500
Message-ID: <CAMm+Lwh2c4NsHErsbsf3awJn8kt3V1D_KAo7fOW_oSsHA-_BvA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: websec <websec@ietf.org>
Content-Type: multipart/alternative; boundary=e89a8f503b84a29d6404ce7eec09
Subject: [websec] HTTP Integrity header / Session Continuation scheme
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 01:54:00 -0000

--e89a8f503b84a29d6404ce7eec09
Content-Type: text/plain; charset=ISO-8859-1

There is a new draft at:
http://tools.ietf.org/html/draft-hallambaker-httpintegrity-02

One of the biggest holes in the Web Security scheme is the fact that
cookies end up being used as bearer tokens and this is a very, very bad
idea. It leads to all sorts of cookie stealing schemes which are very hard
to deal with because while the HTTP stack is simple, the Web stack of HTTP
+ HTML + JavaScript + Random plugins is very complicated and many parts
were originally designed by people who didn't know what the rest did.

While we cannot move to eliminate cookies overnight, there are some
companies with affiliate schemes that are loosing seven or eight figure
sums each year in affiliate fraud. If even one of the major browsers
supported a mechanism that prevented cookie stealing, they would see an
instant return.


The scheme described in the draft is NOT an authentication scheme, rather
it describes one small part of the authentication scheme, the part that
allows an authentication/authorization context established in one protocol
exchange to be continued into further transactions.

The mechanism by which the authentication context is established is outside
the scope of the draft because that is an area where there can be a lot of
useful variation. If an organization has a Kerberos server or SAML
infrastructure already then it makes sense to use those. There is never
going to be a single canonical means of managing user credentials or
presenting/validating them.

But when you look at how a good authentication mechanism continues on from
the point the session has been established it pretty much boils down to
some form of identifier to specify the session and some sort of shared
secret used to create a result that authenticates the session. We can add
in additional information such as nonces and time values and counters and
the like to prevent replay attacks but these are generic mechanisms that
can be used to the same effect whether we used Kerberos, OpenID, SAML or
some newfangled scheme to set up the context.


I am not quite sure where this would be best progressed. In the short term
I was thinking of applying for a provisional HTTP header assignment so that
I can start using it in the Web Service protocol I am writing (omnibroker).
But right now the scheme could fit in WebSec or could fit in HTTPbis or
even the proposed Web Authentication WG.

Regardless of where the work ends up, I think it is clear that if we are
going to specify any new HTTP authentication schemes we are going to end up
addressing the issue of session continuation somewhere and that the
eventual solution needs to be reviewed by the people in all three places
(if they are distinct persons).


-- 
Website: http://hallambaker.com/

--e89a8f503b84a29d6404ce7eec09
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

There is a new draft at:<div><a href=3D"http://tools.ietf.org/html/draft-ha=
llambaker-httpintegrity-02">http://tools.ietf.org/html/draft-hallambaker-ht=
tpintegrity-02</a></div><div><br></div><div>One of the biggest holes in the=
 Web Security scheme is the fact that cookies end up being used as bearer t=
okens and this is a very, very bad idea. It leads to all sorts of cookie st=
ealing schemes which are very hard to deal with because while the HTTP stac=
k is simple, the Web stack of HTTP + HTML + JavaScript + Random plugins is =
very complicated and many parts were originally designed by people who didn=
&#39;t know what the rest did.</div>
<div><br></div><div>While we cannot move to eliminate cookies overnight, th=
ere are some companies with affiliate schemes that are loosing seven or eig=
ht figure sums each year in affiliate fraud. If even one of the major brows=
ers supported a mechanism that prevented cookie stealing, they would see an=
 instant return.=A0</div>
<div><br></div><div><br></div><div>The scheme described in the draft is NOT=
 an authentication scheme, rather it describes one small part of the authen=
tication scheme, the part that allows an authentication/authorization conte=
xt established in one protocol exchange to be continued into further transa=
ctions.=A0</div>
<div><br></div><div>The mechanism by which the authentication context is es=
tablished is outside the scope of the draft because that is an area where t=
here can be a lot of useful variation. If an organization has a Kerberos se=
rver or SAML infrastructure already then it makes sense to use those. There=
 is never going to be a single canonical means of managing user credentials=
 or presenting/validating them.</div>
<div><br></div><div>But when you look at how a good authentication mechanis=
m continues on from the point the session has been established it pretty mu=
ch boils down to some form of identifier to specify the session and some so=
rt of shared secret used to create a result that authenticates the session.=
 We can add in additional information such as nonces and time values and co=
unters and the like to prevent replay attacks but these are generic mechani=
sms that can be used to the same effect whether we used Kerberos, OpenID, S=
AML or some newfangled scheme to set up the context.<br clear=3D"all">
<div><br></div><div><br></div><div>I am not quite sure where this would be =
best progressed. In the short term I was thinking of applying for a provisi=
onal HTTP header assignment so that I can start using it in the Web Service=
 protocol I am writing (omnibroker). But right now the scheme could fit in =
WebSec or could fit in HTTPbis or even the proposed Web Authentication WG.<=
/div>
<div><br></div><div>Regardless of where the work ends up, I think it is cle=
ar that if we are going to specify any new HTTP authentication schemes we a=
re going to end up addressing the issue of session continuation somewhere a=
nd that the eventual solution needs to be reviewed by the people in all thr=
ee places (if they are distinct persons).</div>
<div><br></div><div><br></div>-- <br>Website: <a href=3D"http://hallambaker=
.com/">http://hallambaker.com/</a><br><br>
</div>

--e89a8f503b84a29d6404ce7eec09--

From ynir@checkpoint.com  Wed Nov 14 22:01:43 2012
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5106421F865B for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 22:01:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.578
X-Spam-Level: 
X-Spam-Status: No, score=-10.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xTnjDoQnXqe4 for <websec@ietfa.amsl.com>; Wed, 14 Nov 2012 22:01:42 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id EC3E621F8639 for <websec@ietf.org>; Wed, 14 Nov 2012 22:01:41 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qAF61X2d003493; Thu, 15 Nov 2012 08:01:33 +0200
X-CheckPoint: {50A4822E-3-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.194]) by IL-EX10.ad.checkpoint.com ([169.254.2.194]) with mapi id 14.02.0318.004; Thu, 15 Nov 2012 08:01:32 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Larry Masinter <masinter@adobe.com>
Thread-Topic: [websec] Meeting minutes uploaded
Thread-Index: AQHNwpaPngseIAMGGUm8qxwtCo6L55fp8x6AgABTRAA=
Date: Thu, 15 Nov 2012 06:01:31 +0000
Message-ID: <4613980CFC78314ABFD7F85CC3027721016ED2@IL-EX10.ad.checkpoint.com>
References: <50A3E3E0.7020708@KingsMountain.com> <C68CB012D9182D408CED7B884F441D4D1E36EF3456@nambxv01a.corp.adobe.com>
In-Reply-To: <C68CB012D9182D408CED7B884F441D4D1E36EF3456@nambxv01a.corp.adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [172.31.20.234]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 113126a6411e18f16acb2bec935a27ca3179ed97c2
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9A2734FC9DE20848A4AE939CA0864428@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Meeting minutes uploaded
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 06:01:43 -0000

Hi Larry.=20

I believe you said the W3C specs have already been changed to point to the =
WHAT-WG document. But I'll change the minutes to say "Nobody in the group o=
bjected to having this move to WHAT-WG, and the W3C documents can point to =
that document."


On Nov 15, 2012, at 3:02 AM, Larry Masinter wrote:

> Re Mime sniffing, the minutes reported:
>=20
>> Nobody in the group objected
>> to having this move to WHAT-WG, and according to Larry Manister, the
>> W3C is also fine with referencing the WHAT-?WG document, so the work
>> item will be removed from our charter.
>=20
> I did not say this. What I said in the meeting was that I had no objectio=
n to the working group dropping the work in the IETF.
>=20
> To elaborate:
> * I think dropping the work is the logical action if none of the implemen=
tors are willing to do the work in the IETF.
>=20
> * I do not speak for W3C and what the W3C is "Fine with".
> * However, I believe W3C management is concerned about insuring stable  n=
ormative references in W3C specs, but they will deal with those.
>=20
> Larry
>=20


From stephen.farrell@cs.tcd.ie  Thu Nov 15 01:05:56 2012
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9E221F8639 for <websec@ietfa.amsl.com>; Thu, 15 Nov 2012 01:05:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6E6g+y8HPEq for <websec@ietfa.amsl.com>; Thu, 15 Nov 2012 01:05:56 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id CDA5B21F85C4 for <websec@ietf.org>; Thu, 15 Nov 2012 01:05:54 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 32500BE1C; Thu, 15 Nov 2012 09:05:30 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hy90zZ08ZlY7; Thu, 15 Nov 2012 09:05:29 +0000 (GMT)
Received: from [10.87.48.10] (unknown [86.44.71.235]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 63C14BDCC; Thu, 15 Nov 2012 09:05:29 +0000 (GMT)
Message-ID: <50A4B059.4020004@cs.tcd.ie>
Date: Thu, 15 Nov 2012 09:05:29 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <CAMm+Lwh2c4NsHErsbsf3awJn8kt3V1D_KAo7fOW_oSsHA-_BvA@mail.gmail.com>
In-Reply-To: <CAMm+Lwh2c4NsHErsbsf3awJn8kt3V1D_KAo7fOW_oSsHA-_BvA@mail.gmail.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: websec <websec@ietf.org>
Subject: Re: [websec] HTTP Integrity header / Session Continuation scheme
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 09:05:56 -0000

Just on one point...

On 11/15/2012 01:53 AM, Phillip Hallam-Baker wrote:
> But right now the scheme could fit in WebSec or could fit in HTTPbis or
> even the proposed Web Authentication WG.

The proposal is for an HTTP authentication WG and not for
a broader web authentication WG. Only worth pointing out
since that caused some confusion at the BoF.

Ta,
S.


From bhill@paypal-inc.com  Thu Nov 15 14:31:35 2012
Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B1921F87A7 for <websec@ietfa.amsl.com>; Thu, 15 Nov 2012 14:31:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level: 
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YDt7clp3RqLO for <websec@ietfa.amsl.com>; Thu, 15 Nov 2012 14:31:32 -0800 (PST)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com [216.113.175.153]) by ietfa.amsl.com (Postfix) with ESMTP id 408B321F869B for <websec@ietf.org>; Thu, 15 Nov 2012 14:31:25 -0800 (PST)
DomainKey-Signature: s=paypalcorp; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Thread-Topic:Thread-Index:Date:Message-ID:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: x-originating-ip:Content-Type:MIME-Version:X-CFilter; b=Oh3CadZmnwRpOxhOPXQP1mOa0j/l1jF3SfFPUyw9q47qXotS4HWcON4v 1ua6/GsgCz74Y7nylqgRVPOIPtTtVZbWs4pXl9aeks8cL2fQcny0BgMFU oCYTXMMg8M0WXvbPf4WKEhIz8zhabN0Q0bpYhSfhLSSpDKnu7tWAqDw8T I=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=paypalcorp; t=1353018692; x=1384554692; h=from:to:cc:subject:date:message-id:mime-version; bh=LG64fgXztXdUyHLsYLwMLk0z4e39/kbC92YXYxJUWZw=; b=FQ9/bX8X8e/xFAUbR0BS43GRDK/gKuBCWnN4IE06hJdCoJp7l7lwCS/l l5StWiP3rRucwUvMdn/gbTlwGqXG5JV2vo5ubvw+AiGdqbCfhaKtkVgzL I9Cz5vPXu1lWdJ3lSO4t7GtqfvTJSeQsX76I1T9Evrozxdb8pWGWpQyBy U=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.83,259,1352102400"; d="scan'208,217";a="11347099"
Received: from den-vtenf-001.corp.ebay.com (HELO DEN-EXMHT-005.corp.ebay.com) ([10.101.112.212]) by den-mipot-002.corp.ebay.com with ESMTP; 15 Nov 2012 14:31:25 -0800
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-005.corp.ebay.com ([fe80::8109:2a37:17ad:e57e%18]) with mapi id 14.02.0318.004; Thu, 15 Nov 2012 15:31:25 -0700
From: "Hill, Brad" <bhill@paypal-inc.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>
Thread-Topic: Call for Consensus: CORS to Candidate Recommendation
Thread-Index: Ac3DgPIpzwoP6yy6TYu+ZSd08/k7Pg==
Date: Thu, 15 Nov 2012 22:31:24 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9@DEN-EXDDA-S12.corp.ebay.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.245.27.243]
Content-Type: multipart/alternative; boundary="_000_370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9DENEXDDAS12corpeb_"
MIME-Version: 1.0
X-CFilter: Scanned
Cc: "Anne van Kesteren \(annevk@annevk.nl\)" <annevk@annevk.nl>, "public-web-security@w3.org" <public-web-security@w3.org>, "websec@ietf.org" <websec@ietf.org>
Subject: [websec] Call for Consensus: CORS to Candidate Recommendation
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 22:31:35 -0000

--_000_370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9DENEXDDAS12corpeb_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

WebApps and WebAppSec WG members, (and copied security interest groups who =
we invite to provide comments)

Following discussion at TPAC, I've resolved outstanding changes in the secu=
rity considerations section agreed to by WebAppSec as well as differences b=
etween the W3C and WHATWG versions of CORS, and believe we are ready to go =
to Candidate Recommendation.  We probably have enough implementations to pr=
oceed directly to Proposed Recommendation, but our test suite still needs b=
etter documentation of its coverage and some test cases need repairs, so I =
believe moving to CR first, and as soon as possible, is the right next step=
, while we work out those details.

I have placed a draft for review at:

http://www.w3.org/2011/webappsec/cors-draft/

And this is a Call for Consensus among the WebAppSec and WebApps WGs to tak=
e this particular text (with necessary additions to the Status of this Docu=
ment section if approved) forward to Candidate Recommendation.

Please send comments to public-webappsec@w3.org<mailto:public-webappsec@w3.=
org> , positive feedback is encouraged.

This CfC will end on November 23, 2012.

Substantive changes from the last published version (both pulled from the W=
HATWG version) include:

1.        updating the redirect status codes to include the newly defined 3=
08

2.       adding the referrer source header as input to the fetch algorithm

Non-substantive changes include:


1.       Clarified text defining 5.1, Access-Control-Origin allow header to=
 read: the value of the Origin request header, "*", or "null"

2.       Updated "certificates differ" reason for algorithm abort to "certi=
ficate errors"

3.       Replaced "ambient authority" with "user credentials sent with cros=
s-origin requests"

4.       Replaced a number of instances of "server" with more consistent us=
age of "resource"

5.       Updated language slightly about OWS in header value definitions in=
 HTTP/1.1 spec

6.       Removed reference in security considerations to Origin header as a=
 credential, as it is explicitly defined as not being a credential

7.       Deleted paragraph in security considerations section on forwarding=
 attacks as on further consideration it is not a genuine concern

8.       Removed language about validating data in the security considerati=
ons section comparing CORS to JSONP

9.       Removed "safe and idempotent" language in security considerations =
and replaced with "significance other than retrieval"

10.   Changed "implicit" credentials language to "user credentials automati=
cally attached to the request by the user agent"

11.   Updated language in security considerations on path-distinguished app=
lication principals vs. origin-distinguished principals

12.   Merged updated thanks and acknowledgements from WHATWG version

13.   Removed language about multiple origins in security considerations as=
 that is now forbidden by the redirect steps

14.   Added a non-normative "Implementation Considerations" as Section 6.4 =
under the Resource Processing Model with the following text:

"Resources that wish to enable themselves to be shared with multiple
  <code>Origins</code> but do not respond uniformly with <code>"*"</code>
  must in practice generate the <code>Access-Control-Allow-Origin</code>
  header dynamically in response to every request they wish
  to allow.  As a consequence, authors of such resources should send a
  <code>Vary: Origin</code> HTTP header or provide other appropriate contro=
l
  directives to prevent caching of such responses, which may be inaccurate
  if re-used across-origins."

Thank you,

Brad Hill
WebAppSec WG Co-Chair

--_000_370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9DENEXDDAS12corpeb_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.5in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:1403478519;
	mso-list-type:hybrid;
	mso-list-template-ids:-221897716 67698703 67698713 67698715 67698703 67698=
713 67698715 67698703 67698713 67698715;}
@list l0:level1
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level2
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level3
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l0:level4
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level5
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level6
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l0:level7
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level8
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level9
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l1
	{mso-list-id:1836872829;
	mso-list-type:hybrid;
	mso-list-template-ids:-1302582948 67698703 67698713 67698715 67698703 6769=
8713 67698715 67698703 67698713 67698715;}
@list l1:level1
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level2
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level3
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l1:level4
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level5
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level6
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l1:level7
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level8
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level9
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">WebApps and WebAppSec WG members, (and copied securi=
ty interest groups who we invite to provide comments)<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Following discussion at TPAC, I&#8217;ve resolved ou=
tstanding changes in the security considerations section agreed to by WebAp=
pSec as well as differences between the W3C and WHATWG versions of CORS, an=
d believe we are ready to go to Candidate
 Recommendation.&nbsp; We probably have enough implementations to proceed d=
irectly to Proposed Recommendation, but our test suite still needs better d=
ocumentation of its coverage and some test cases need repairs, so I believe=
 moving to CR first, and as soon as possible,
 is the right next step, while we work out those details.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">I have placed a draft for review at:<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><a href=3D"http://www.w3.org/2011/webappsec/cors-dra=
ft/"><span style=3D"text-decoration:none">http://www.w3.org/2011/webappsec/=
cors-draft/</span></a><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">And this is a Call for Consensus among the WebAppSec=
 and WebApps WGs to take this particular text (with necessary additions to =
the Status of this Document section if approved) forward to Candidate Recom=
mendation.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Please send comments to <a href=3D"mailto:public-web=
appsec@w3.org">
public-webappsec@w3.org</a> , positive feedback is encouraged.<o:p></o:p></=
p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">This CfC will end on November 23, 2012.<o:p></o:p></=
p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Substantive changes from the last published version =
(both pulled from the WHATWG version) include:<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo2"><![if !supportLists]><span style=3D"mso-list:Ignore">1.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>&nbsp;updating the redirect status codes to include=
 the newly defined 308<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo2"><![if !supportLists]><span style=3D"mso-list:Ignore">2.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>adding the referrer source header as input to the f=
etch algorithm
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Non-substantive changes include:<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">1.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Clarified text defining 5.1, Access-Control-Origin =
allow header to read: the value of the Origin request header, &#8220;*&#822=
1;, or &#8220;null&#8221;<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">2.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Updated &#8220;certificates differ&#8221; reason fo=
r algorithm abort to &#8220;certificate errors&#8221;<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">3.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Replaced &#8220;ambient authority&#8221; with &#822=
0;user credentials sent with cross-origin requests&#8221;<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">4.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Replaced a number of instances of &#8220;server&#82=
21; with more consistent usage of &#8220;resource&#8221;<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">5.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Updated language slightly about OWS in header value=
 definitions in HTTP/1.1 spec<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">6.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Removed reference in security considerations to Ori=
gin header as a credential, as it is explicitly defined as not being a cred=
ential<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">7.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Deleted paragraph in security considerations sectio=
n on forwarding attacks as on further consideration it is not a genuine con=
cern<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">8.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Removed language about validating data in the secur=
ity considerations section comparing CORS to JSONP<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">9.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>Removed &#8220;safe and idempotent&#8221; language =
in security considerations and replaced with &#8220;significance other than=
 retrieval&#8221;<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">10.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;
</span></span><![endif]>Changed &#8220;implicit&#8221; credentials language=
 to &#8220;user credentials automatically attached to the request by the us=
er agent&#8221;<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">11.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;
</span></span><![endif]>Updated language in security considerations on path=
-distinguished application principals vs. origin-distinguished principals<o=
:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">12.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;
</span></span><![endif]>Merged updated thanks and acknowledgements from WHA=
TWG version<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">13.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;
</span></span><![endif]>Removed language about multiple origins in security=
 considerations as that is now forbidden by the redirect steps<o:p></o:p></=
p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l1 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">14.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;
</span></span><![endif]>Added a non-normative &#8220;Implementation Conside=
rations&#8221; as Section 6.4 under the Resource Processing Model with the =
following text:<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">&#8220;Resources that wish to enable themselves to b=
e shared with multiple<o:p></o:p></p>
<p class=3D"MsoNormal">&nbsp; &lt;code&gt;Origins&lt;/code&gt; but do not r=
espond uniformly with &lt;code&gt;&quot;*&quot;&lt;/code&gt;<o:p></o:p></p>
<p class=3D"MsoNormal">&nbsp; must in practice generate the &lt;code&gt;Acc=
ess-Control-Allow-Origin&lt;/code&gt;<o:p></o:p></p>
<p class=3D"MsoNormal">&nbsp; header dynamically in response to every reque=
st they wish<o:p></o:p></p>
<p class=3D"MsoNormal">&nbsp; to allow.&nbsp; As a consequence, authors of =
such resources should send a<o:p></o:p></p>
<p class=3D"MsoNormal">&nbsp; &lt;code&gt;Vary: Origin&lt;/code&gt; HTTP he=
ader or provide other appropriate control<o:p></o:p></p>
<p class=3D"MsoNormal">&nbsp; directives to prevent caching of such respons=
es, which may be inaccurate<o:p></o:p></p>
<p class=3D"MsoNormal">&nbsp; if re-used across-origins.&#8221;<o:p></o:p><=
/p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Thank you,<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Brad Hill<o:p></o:p></p>
<p class=3D"MsoNormal">WebAppSec WG Co-Chair<o:p></o:p></p>
</div>
</body>
</html>

--_000_370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9DENEXDDAS12corpeb_--

From art.barstow@nokia.com  Fri Nov 16 05:17:56 2012
Return-Path: <art.barstow@nokia.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4376821F84D4 for <websec@ietfa.amsl.com>; Fri, 16 Nov 2012 05:17:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMn3AMGUAY+R for <websec@ietfa.amsl.com>; Fri, 16 Nov 2012 05:17:55 -0800 (PST)
Received: from mgw-sa01.nokia.com (smtp.nokia.com [147.243.1.47]) by ietfa.amsl.com (Postfix) with ESMTP id 1D55521F8A2D for <websec@ietf.org>; Fri, 16 Nov 2012 05:17:52 -0800 (PST)
Received: from Barstow-MBP.local (bsdhcp17551.americas.nokia.com [172.19.175.51]) by mgw-sa01.nokia.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id qAGDHe5U023525; Fri, 16 Nov 2012 15:17:43 +0200
Message-ID: <50A63CF8.1090301@nokia.com>
Date: Fri, 16 Nov 2012 08:17:44 -0500
From: Arthur Barstow <art.barstow@nokia.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: "ext Hill, Brad" <bhill@paypal-inc.com>
References: <370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9@DEN-EXDDA-S12.corp.ebay.com>
In-Reply-To: <370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9@DEN-EXDDA-S12.corp.ebay.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Nokia-AV: Clean
X-Mailman-Approved-At: Fri, 16 Nov 2012 05:35:45 -0800
Cc: "WebApps WG \(public-webapps@w3.org\)" <public-webapps@w3.org>, "Anne van Kesteren \(annevk@annevk.nl\)" <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "websec@ietf.org" <websec@ietf.org>, "public-web-security@w3.org" <public-web-security@w3.org>
Subject: Re: [websec] Call for Consensus: CORS to Candidate Recommendation
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 13:17:56 -0000

On 11/15/12 5:31 PM, ext Hill, Brad wrote:
>
> I have placed a draft for review at:
>
> http://www.w3.org/2011/webappsec/cors-draft/
>
> And this is a Call for Consensus among the WebAppSec and WebApps WGs 
> to take this particular text (with necessary additions to the Status 
> of this Document section if approved) forward to Candidate Recommendation.
>

I support this CfC although I am wondering about the CR exit criteria.

Do you expect to re-use the CSP1.0 criteria:

[[
The entrance criteria for this document to enter the Proposed 
Recommendation stage is to have a minimum of two independent and 
interoperable user agents that implementation all the features of this 
specification, which will be determined by passing the user agent tests 
defined in the test suite developed by the Working Group.
]]

My preference is what WebApps has used in other CRs because I think it 
is clearer that a single implementation is not required to pass every 
test but that at least two implementations must pass every test. F.ex.:

    <http://www.w3.org/TR/2012/CR-websockets-20120920/#crec>

-Thanks, AB



From hannes.tschofenig@gmx.net  Fri Nov 16 06:41:30 2012
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C10A21F87A7 for <websec@ietfa.amsl.com>; Fri, 16 Nov 2012 06:41:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.359
X-Spam-Level: 
X-Spam-Status: No, score=-101.359 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_LWSHORTT=1.24, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLT1aR63dLnI for <websec@ietfa.amsl.com>; Fri, 16 Nov 2012 06:41:29 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id E7FCE21F84E2 for <websec@ietf.org>; Fri, 16 Nov 2012 06:41:28 -0800 (PST)
Received: (qmail invoked by alias); 16 Nov 2012 14:41:27 -0000
Received: from unknown (EHLO [18.111.94.88]) [18.111.94.88] by mail.gmx.net (mp032) with SMTP; 16 Nov 2012 15:41:27 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+FbYhyogaFqUJ6RyPyrVOVHmmeBV67N1+/O7Nz9e wAx/ifpiZBvTBb
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CAMm+Lwh2c4NsHErsbsf3awJn8kt3V1D_KAo7fOW_oSsHA-_BvA@mail.gmail.com>
Date: Fri, 16 Nov 2012 09:41:20 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <4B59D185-7F74-442B-B0F3-5122E1C2498D@gmx.net>
References: <CAMm+Lwh2c4NsHErsbsf3awJn8kt3V1D_KAo7fOW_oSsHA-_BvA@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1085)
X-Y-GMX-Trusted: 0
Cc: websec <websec@ietf.org>
Subject: Re: [websec] HTTP Integrity header / Session Continuation scheme
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 14:41:30 -0000

Phillip,=20

you are re-inventing OAuth. In your draft you have pretty much written a =
copy of http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00

You also include a MAC over the HTTP body. Folks in the OAuth community =
tried that as well and it did not work out too well since intermediaries =
mess around with the body.=20
You also have to selectively cover the header field and the =
canonicalization has caused problems for developers.

The MAC of only the headers unfortunately does not provide a lot of =
great properties for the security of the overall application solution =
since the valuable stuff is in the body.=20

I believe that a solution that uses TLS is better, as Google is =
proposing, since it covers the entire communication (including =
confidentiality protection) and the TLS Record Layer itself does not =
lead to a huge computational overhead. The heavy part is the =
authentication and key exchange.=20

Ciao
Hannes

On Nov 14, 2012, at 8:53 PM, Phillip Hallam-Baker wrote:

> There is a new draft at:
> http://tools.ietf.org/html/draft-hallambaker-httpintegrity-02
>=20
> One of the biggest holes in the Web Security scheme is the fact that =
cookies end up being used as bearer tokens and this is a very, very bad =
idea. It leads to all sorts of cookie stealing schemes which are very =
hard to deal with because while the HTTP stack is simple, the Web stack =
of HTTP + HTML + JavaScript + Random plugins is very complicated and =
many parts were originally designed by people who didn't know what the =
rest did.
>=20
> While we cannot move to eliminate cookies overnight, there are some =
companies with affiliate schemes that are loosing seven or eight figure =
sums each year in affiliate fraud. If even one of the major browsers =
supported a mechanism that prevented cookie stealing, they would see an =
instant return.=20
>=20
>=20
> The scheme described in the draft is NOT an authentication scheme, =
rather it describes one small part of the authentication scheme, the =
part that allows an authentication/authorization context established in =
one protocol exchange to be continued into further transactions.=20
>=20
> The mechanism by which the authentication context is established is =
outside the scope of the draft because that is an area where there can =
be a lot of useful variation. If an organization has a Kerberos server =
or SAML infrastructure already then it makes sense to use those. There =
is never going to be a single canonical means of managing user =
credentials or presenting/validating them.
>=20
> But when you look at how a good authentication mechanism continues on =
from the point the session has been established it pretty much boils =
down to some form of identifier to specify the session and some sort of =
shared secret used to create a result that authenticates the session. We =
can add in additional information such as nonces and time values and =
counters and the like to prevent replay attacks but these are generic =
mechanisms that can be used to the same effect whether we used Kerberos, =
OpenID, SAML or some newfangled scheme to set up the context.
>=20
>=20
> I am not quite sure where this would be best progressed. In the short =
term I was thinking of applying for a provisional HTTP header assignment =
so that I can start using it in the Web Service protocol I am writing =
(omnibroker). But right now the scheme could fit in WebSec or could fit =
in HTTPbis or even the proposed Web Authentication WG.
>=20
> Regardless of where the work ends up, I think it is clear that if we =
are going to specify any new HTTP authentication schemes we are going to =
end up addressing the issue of session continuation somewhere and that =
the eventual solution needs to be reviewed by the people in all three =
places (if they are distinct persons).
>=20
>=20
> --=20
> Website: http://hallambaker.com/
>=20
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec


From barryleiba.mailing.lists@gmail.com  Fri Nov 16 08:08:32 2012
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DDB121F8669 for <websec@ietfa.amsl.com>; Fri, 16 Nov 2012 08:08:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.923
X-Spam-Level: 
X-Spam-Status: No, score=-102.923 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZOsi9u6Cv5B for <websec@ietfa.amsl.com>; Fri, 16 Nov 2012 08:08:31 -0800 (PST)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 59EF421F8585 for <websec@ietf.org>; Fri, 16 Nov 2012 08:08:31 -0800 (PST)
Received: by mail-lb0-f172.google.com with SMTP id y2so2441109lbk.31 for <websec@ietf.org>; Fri, 16 Nov 2012 08:08:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=en15zQNaH3mNu9g80bk85ra2QXwX51DNTtceqMd95LY=; b=ba7LQlP1KYO/H9rgGEmCujCV8hAxgWLcPDYNrjKOR+6cawo8wMDzkmRFhysc27GaxU 6vW7yK6Lh4gUXjrTF+w1N2WCrk1QNwLPyRD0dWSSS8MwiyPEEhICoBwe8Agd1RGinX0M 0eegsJsO2AkpJ0YclBkJzh02YZATTHa4Xd+9nMSBHx2NACk7ViolzijJy5awPHzcT3vU kJfnYdv60sG1GTx9I2eXDIbt/gV7oTtDEmTlkCgAxuOxwZr5JPwGtwdEclB4DjghpYMj ASRXGJ4yv2F0eK260dGgT6Dlx/2EfNiI4QyFDBtO3lqas4EABbbypbepgqgCD5sgLLEX ofBw==
MIME-Version: 1.0
Received: by 10.152.108.197 with SMTP id hm5mr4689673lab.45.1353082110278; Fri, 16 Nov 2012 08:08:30 -0800 (PST)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.112.12.166 with HTTP; Fri, 16 Nov 2012 08:08:30 -0800 (PST)
Date: Fri, 16 Nov 2012 11:08:30 -0500
X-Google-Sender-Auth: Fko582KvcYKSquFC2j-FEwsBgho
Message-ID: <CAC4RtVBHPnSeZdc92iCW81+_b-x8pNfHFovyb2KevktXKc807A@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: [websec] Alexey stepping down as WebSec chair
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 16:08:32 -0000

(IESG and IESG Secretary on BCC)
As announced at the WebSec session in Atlanta (and in the minutes of
the session), Alexey has decided to step down as WebSec chair.  I want
to thank Alexey very much for the work he's put in, and for the work
that he continues to do in the IETF.  Thanks also to Tobias and Yoav
for their continuing work as WebSec chairs.

IESG Secretary, please remove Alexey from the list of WebSec chairs.

Barry, Applications AD

From Jeff.Hodges@KingsMountain.com  Mon Nov 19 14:47:19 2012
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75AD721F8739 for <websec@ietfa.amsl.com>; Mon, 19 Nov 2012 14:47:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.265
X-Spam-Level: 
X-Spam-Status: No, score=-102.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WNU1MH6UTvGT for <websec@ietfa.amsl.com>; Mon, 19 Nov 2012 14:47:18 -0800 (PST)
Received: from oproxy6-pub.bluehost.com (oproxy6-pub.bluehost.com [67.222.54.6]) by ietfa.amsl.com (Postfix) with SMTP id C8B9921F8720 for <websec@ietf.org>; Mon, 19 Nov 2012 14:47:18 -0800 (PST)
Received: (qmail 21473 invoked by uid 0); 19 Nov 2012 22:46:54 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 19 Nov 2012 22:46:50 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default;  h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=GthEvAM5HwwcH2OV336a47k7zbj4vWGIDwS9fsNRlHc=;  b=nEFYnclQKsjGiyLyE9pCEmWG2fxx76V4CTexftJKImLYJta4SG2gnGcBDO2u5E57lincVF4NvkVrwfKBN9n32usqHXynIhQZakZdomLsUosUqxaf71s9vVnFX5rZzjnr;
Received: from [24.4.122.173] (port=57976 helo=[192.168.11.12]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1Taa78-0007cV-5P; Mon, 19 Nov 2012 15:46:50 -0700
Message-ID: <50AAB6D8.2020902@KingsMountain.com>
Date: Mon, 19 Nov 2012 14:46:48 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: Alexey Melnkov <Alexey.Melnikov@isode.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Alexey stepping down as WebSec chair
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2012 22:47:19 -0000

Alexey,

Many thanks for serving as WebSec Co-chair. I've appreciated your wise council 
and process shepherding/organising, and will look forward to continuing to work 
with you in WebSec (?) and other IETF gatherings :)

thanks again,

=JeffH



From tlr@w3.org  Mon Nov 19 14:49:48 2012
Return-Path: <tlr@w3.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902E721F870B for <websec@ietfa.amsl.com>; Mon, 19 Nov 2012 14:49:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sVqfbv1EkXfW for <websec@ietfa.amsl.com>; Mon, 19 Nov 2012 14:49:48 -0800 (PST)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id 07ADB21F8462 for <websec@ietf.org>; Mon, 19 Nov 2012 14:49:47 -0800 (PST)
Received: from ip-88-207-234-66.dyn.luxdsl.pt.lu ([88.207.234.66] helo=[192.168.2.106]) by jay.w3.org with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from <tlr@w3.org>) id 1Taa9u-0005jM-MR; Mon, 19 Nov 2012 17:49:42 -0500
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Content-Type: text/plain; charset=us-ascii
From: Thomas Roessler <tlr@w3.org>
In-Reply-To: <CAC4RtVBHPnSeZdc92iCW81+_b-x8pNfHFovyb2KevktXKc807A@mail.gmail.com>
Date: Mon, 19 Nov 2012 23:49:39 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C388092-9F50-4C60-92AA-033CF59C6455@w3.org>
References: <CAC4RtVBHPnSeZdc92iCW81+_b-x8pNfHFovyb2KevktXKc807A@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
X-Mailer: Apple Mail (2.1499)
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Alexey stepping down as WebSec chair
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2012 22:49:48 -0000

Thanks, Alexey, for the great work co-chairing this group, and for your =
wisdom and collaboration in general.  I'm sure hoping we're not quite =
rid of you yet!

--=20
Thomas Roessler, W3C <tlr@w3.org> (@roessler)



On 2012-11-16, at 17:08 +0100, Barry Leiba <barryleiba@computer.org> =
wrote:

> (IESG and IESG Secretary on BCC)
> As announced at the WebSec session in Atlanta (and in the minutes of
> the session), Alexey has decided to step down as WebSec chair.  I want
> to thank Alexey very much for the work he's put in, and for the work
> that he continues to do in the IETF.  Thanks also to Tobias and Yoav
> for their continuing work as WebSec chairs.
>=20
> IESG Secretary, please remove Alexey from the list of WebSec chairs.
>=20
> Barry, Applications AD
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>=20


From wwwrun@rfc-editor.org  Mon Nov 19 15:47:37 2012
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B961721F86C7; Mon, 19 Nov 2012 15:47:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.933
X-Spam-Level: 
X-Spam-Status: No, score=-101.933 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, J_CHICKENPOX_93=0.6, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2huqQ3FTjH1; Mon, 19 Nov 2012 15:47:37 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id 18A8E21F86AD; Mon, 19 Nov 2012 15:47:37 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id 4E111B1E003; Mon, 19 Nov 2012 15:40:18 -0800 (PST)
To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org
From: rfc-editor@rfc-editor.org
Message-Id: <20121119234018.4E111B1E003@rfc-editor.org>
Date: Mon, 19 Nov 2012 15:40:18 -0800 (PST)
Cc: websec@ietf.org, rfc-editor@rfc-editor.org
Subject: [websec] RFC 6797 on HTTP Strict Transport Security (HSTS)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2012 23:47:37 -0000

A new Request for Comments is now available in online RFC libraries.

        
        RFC 6797

        Title:      HTTP Strict Transport Security (HSTS) 
        Author:     J. Hodges, C. Jackson, A. Barth
        Status:     Standards Track
        Stream:     IETF
        Date:       November 2012
        Mailbox:    Jeff.Hodges@PayPal.com, 
                    collin.jackson@sv.cmu.edu, 
                    ietf@adambarth.com
        Pages:      46
        Characters: 103554
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-websec-strict-transport-sec-14.txt

        URL:        http://www.rfc-editor.org/rfc/rfc6797.txt

This specification defines a mechanism enabling web sites to declare
themselves accessible only via secure connections and/or for users to
be able to direct their user agent(s) to interact with given sites
only over secure connections.  This overall policy is referred to as
HTTP Strict Transport Security (HSTS).  The policy is declared by web
sites via the Strict-Transport-Security HTTP response header field
and/or by other means, such as user agent configuration, for example.
[STANDARDS-TRACK]

This document is a product of the Web Security Working Group of the IETF.

This is now a Proposed Standard Protocol.

STANDARDS TRACK: This document specifies an Internet standards track
protocol for the Internet community,and requests discussion and suggestions
for improvements.  Please refer to the current edition of the Internet
Official Protocol Standards (STD 1) for the standardization state and
status of this protocol.  Distribution of this memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
  http://www.ietf.org/mailman/listinfo/ietf-announce
  http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html.
For downloading RFCs, see http://www.rfc-editor.org/rfc.html.

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
Association Management Solutions, LLC



From stpeter@stpeter.im  Mon Nov 19 17:53:12 2012
Return-Path: <stpeter@stpeter.im>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E891F21F87E5 for <websec@ietfa.amsl.com>; Mon, 19 Nov 2012 17:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.597
X-Spam-Level: 
X-Spam-Status: No, score=-102.597 tagged_above=-999 required=5 tests=[AWL=0.002, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VIcqnHTs4vlp for <websec@ietfa.amsl.com>; Mon, 19 Nov 2012 17:53:11 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id D8CCF21F87E3 for <websec@ietf.org>; Mon, 19 Nov 2012 17:53:11 -0800 (PST)
Received: from [192.168.1.7] (unknown [71.237.13.154]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id A0B0F4010C for <websec@ietf.org>; Mon, 19 Nov 2012 18:57:39 -0700 (MST)
Message-ID: <50AAE28E.4010207@stpeter.im>
Date: Mon, 19 Nov 2012 18:53:18 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: websec@ietf.org
References: <20121119234018.4E111B1E003@rfc-editor.org>
In-Reply-To: <20121119234018.4E111B1E003@rfc-editor.org>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] RFC 6797 on HTTP Strict Transport Security (HSTS)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2012 01:53:13 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/19/12 4:40 PM, rfc-editor@rfc-editor.org wrote:
> 
> A new Request for Comments is now available in online RFC 
> libraries.
> 
> 
> RFC 6797
> 
> Title:      HTTP Strict Transport Security (HSTS) Author:     J. 
> Hodges, C. Jackson, A. Barth

It's great to see this move forward. Good job!

/psa





-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCq4o4ACgkQNL8k5A2w/vyIagCg7vRcb4DVR8nvH9WFeM8cH1ye
9iIAoODuvSUy2XaQ0N72Lex0QudVqb6m
=S91+
-----END PGP SIGNATURE-----

From ynir@checkpoint.com  Wed Nov 21 13:38:21 2012
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CA4521F8472 for <websec@ietfa.amsl.com>; Wed, 21 Nov 2012 13:38:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.28
X-Spam-Level: 
X-Spam-Status: No, score=-10.28 tagged_above=-999 required=5 tests=[AWL=-0.281, BAYES_00=-2.599, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOMdX2UzmVoB for <websec@ietfa.amsl.com>; Wed, 21 Nov 2012 13:38:20 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id BE8BD21F846C for <websec@ietf.org>; Wed, 21 Nov 2012 13:38:18 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qALLcFmY008251 for <websec@ietf.org>; Wed, 21 Nov 2012 23:38:15 +0200
X-CheckPoint: {50AD466B-5-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.194]) by IL-EX10.ad.checkpoint.com ([169.254.2.194]) with mapi id 14.02.0318.004; Wed, 21 Nov 2012 23:38:14 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: Issue #53 - Clarify status of pin validation when used with private trust anchors
Thread-Index: AQHNyDCCC7tisBFlqEKwaMuz+22tGw==
Date: Wed, 21 Nov 2012 21:38:13 +0000
Message-ID: <4613980CFC78314ABFD7F85CC302772101E042@IL-EX10.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [172.31.21.66]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11bf8ec186f4f2188bdb69170021e60b572269ddd0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <650813A8C5E74040823823BE0F4F4F96@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [websec] Issue #53 - Clarify status of pin validation when used with private trust anchors
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2012 21:38:21 -0000

Hi

During the meeting in Atlanta I said that saying that that pin validation i=
s disabled when the cert chains to a private trust anchor would not go over=
 well, because it's disabling a security feature in the presence of an atta=
ck. I still think so, but I think we can raise less red flags if we just de=
scribe what the issue is - that there is a TLS proxy.

I don't have suggested text, at least yet, but here's how I think the issue=
 can be addressed. Keep in mind that we're not writing a design for any par=
ticular browser.

=3D=3D=3D
On some networks, mostly corporate networks, there are TLS proxies, transpa=
rent proxies that sign certificates on behalf of visited web sites as descr=
ibed in [ref]. When a UA gets into such a network, the certificate presente=
d in the TLS handshake will not be consistent with the UA's previously stor=
ed pins.

It is up to the UA to decide whether such a TLS proxy is acceptable or not.=
 If it is acceptable, then pinning should be disabled, and the UA should no=
t follow the mandates in section 2.4 of this document. Ideally, such proxie=
s, or their associated trust anchors would be specially marked as trusted f=
or this purpose. If the UA does not allow for such a configuration, a heuri=
stic MAY be used to determine what trust anchors are used for a legitimate =
TLS proxy. One such heuristic, is that all trust anchors that are not part =
of the stock trust anchor store that comes with the UA or the operating sys=
tem, but that are in the trust anchor store (implying that they have been a=
dded by the user) are acceptable for TLS proxies.
=3D=3D=3D

I think this defuses the issue. What do others think?

One other suggestion that was brought up in Atlanta, was to have the server=
 specify a policy about private trust anchors in the Public-Key-Pins header=
, something like:

   Public-Key-Pins: max-age=3D500; policy=3Dstrict;
       pin-sha1=3D"4n972HfV354KP560yw4uqe/baXc=3D";
       pin-sha1=3D"IvGeLsbqzPxdI0b0wuj2xVTdXgc=3D"

   Public-Key-Pins: max-age=3D31536000; policy=3Daccept_private;
       pin-sha1=3D"4n972HfV354KP560yw4uqe/baXc=3D";
       pin-sha256=3D"LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=3D"


In case of policy=3Dstrict, the UA will not accept any handshake that disag=
rees with stored pins. This might be preferred by some servers, that are wi=
lling to accept not being accessible from all networks for the benefit of p=
reventing MitM attacks. What do others think about this idea?

Yoav=

From ryan-ietfhasmat@sleevi.com  Wed Nov 21 16:45:37 2012
Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F7321E8043 for <websec@ietfa.amsl.com>; Wed, 21 Nov 2012 16:45:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_66=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZbqpZz6V-EJ for <websec@ietfa.amsl.com>; Wed, 21 Nov 2012 16:45:36 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by ietfa.amsl.com (Postfix) with ESMTP id 7749521E8034 for <websec@ietf.org>; Wed, 21 Nov 2012 16:45:36 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 0030126C069; Wed, 21 Nov 2012 16:45:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=JCUzTDvsdGBs33EH2Kr5QWE3/9g=; b=aKVbs1ZjG8AXBsbCx gZkdS/mQN/SDIACIcXn7Ei+R/C0Z7zwbdAYKI8SsiSGFcTAjMJmIstETNZ9Vortl aEZxJSBthm5bDUs9BNzJdJaFhvsx0rfCuyu6U095GbXfY/I7WZWNqyfxdegcQh2l 3jznxlKGanb2KUjJWJ4lsVdawk=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPA id B658226C05E;  Wed, 21 Nov 2012 16:45:35 -0800 (PST)
Received: from 216.239.45.4 (proxying for 216.239.45.4) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 21 Nov 2012 16:45:35 -0800
Message-ID: <77ae8817edac8638b9ebf63b1f9ce6fb.squirrel@webmail.dreamhost.com>
In-Reply-To: <4613980CFC78314ABFD7F85CC302772101E042@IL-EX10.ad.checkpoint.com>
References: <4613980CFC78314ABFD7F85CC302772101E042@IL-EX10.ad.checkpoint.com>
Date: Wed, 21 Nov 2012 16:45:35 -0800
From: "Ryan Sleevi" <ryan-ietfhasmat@sleevi.com>
To: "Yoav Nir" <ynir@checkpoint.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Issue #53 - Clarify status of pin validation when used with private trust anchors
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2012 00:45:37 -0000

On Wed, November 21, 2012 1:38 pm, Yoav Nir wrote:
>  Hi
>
>  During the meeting in Atlanta I said that saying that that pin validat=
ion
>  is disabled when the cert chains to a private trust anchor would not g=
o
>  over well, because it's disabling a security feature in the presence o=
f an
>  attack. I still think so, but I think we can raise less red flags if w=
e
>  just describe what the issue is - that there is a TLS proxy.
>
>  I don't have suggested text, at least yet, but here's how I think the
>  issue can be addressed. Keep in mind that we're not writing a design f=
or
>  any particular browser.
>
>  =3D=3D=3D
>  On some networks, mostly corporate networks, there are TLS proxies,
>  transparent proxies that sign certificates on behalf of visited web si=
tes
>  as described in [ref]. When a UA gets into such a network, the certifi=
cate
>  presented in the TLS handshake will not be consistent with the UA's
>  previously stored pins.
>
>  It is up to the UA to decide whether such a TLS proxy is acceptable or
>  not. If it is acceptable, then pinning should be disabled, and the UA
>  should not follow the mandates in section 2.4 of this document. Ideall=
y,
>  such proxies, or their associated trust anchors would be specially mar=
ked
>  as trusted for this purpose. If the UA does not allow for such a
>  configuration, a heuristic MAY be used to determine what trust anchors=
 are
>  used for a legitimate TLS proxy. One such heuristic, is that all trust
>  anchors that are not part of the stock trust anchor store that comes w=
ith
>  the UA or the operating system, but that are in the trust anchor store
>  (implying that they have been added by the user) are acceptable for TL=
S
>  proxies.
>  =3D=3D=3D
>
>  I think this defuses the issue. What do others think?

The wording suggests that it's primarily a network layer 'attacker', whic=
h
somehow raises the spectre of RFC 1984 (unfairly, I think), but we also
see TLS proxies that are entirely local to clients' machines - for
example, Antivirus Software that installs a Winsock LSP.

I'm still working with Chris Palmer to find suitable language to propose
on this, but we've been looking at ways to define this processing in term=
s
of "client policy" that may supercede or disregard the the Pinning
Metadata for a Known Pinned Host, to be incorporated into Section 2.4.
(Validating Pinned Connections)

>
>  One other suggestion that was brought up in Atlanta, was to have the
>  server specify a policy about private trust anchors in the Public-Key-=
Pins
>  header, something like:
>
>     Public-Key-Pins: max-age=3D500; policy=3Dstrict;
>         pin-sha1=3D"4n972HfV354KP560yw4uqe/baXc=3D";
>         pin-sha1=3D"IvGeLsbqzPxdI0b0wuj2xVTdXgc=3D"
>
>     Public-Key-Pins: max-age=3D31536000; policy=3Daccept_private;
>         pin-sha1=3D"4n972HfV354KP560yw4uqe/baXc=3D";
>         pin-sha256=3D"LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=3D"
>
>
>  In case of policy=3Dstrict, the UA will not accept any handshake that
>  disagrees with stored pins. This might be preferred by some servers, t=
hat
>  are willing to accept not being accessible from all networks for the
>  benefit of preventing MitM attacks. What do others think about this id=
ea?

Given HPKP's shared history with HSTS, and as discussed during Atlanta,
one of the things we were looking at was ensuring the ABNF grammar was
consistent with the grammar that was decided for HSTS. In particular, the
ABNF grammar should NOT specify all of individual tokens, but instead
define the set of directives, to allow new directives to be added.

This ABNF looks as such:

Public-Key-Pins  =3D "Public-Key-Pins" ":" [ directive ] *( ";" [ directi=
ve ] )

directive        =3D simple-directive
                   / pin-directive

simple-directive =3D directive-name [ "=3D" directive-value ]
directive-name   =3D token
directive-value  =3D token | quoted-string

pin-directive    =3D "pin-" token "=3D" quoted-string


With the above grammar, and given that HPKP's threat model is primarily
motivated by allowing site operators to defend against certificate
misissuance from CAs trusted by the client, we're proposing that 'strict'
be added (as a simple-directive). The absence of 'strict' implies that th=
e
UA is permitted to allow client local policy to override the directive,
while the presence of 'strict' implies that the header should be
interpreted exactly as it is supplied.

The reasoning to making the default open, rather than closed, is that we
anticipate that 'strict' is not the primary or default mode that sites
intend to operate in (since client policy is a known-unknown from the
perspective of site operators), so this is primarily an ease-of-use
feature.

I think your proposal to use a policy directive with a set of known value
strings may also work, but my fear is that it would just end up with most
servers sending "policy=3Daccept_private" to be safe, which seems like bo=
th
a sharp edge to find and perhaps more bytes than needed.


From ynir@checkpoint.com  Wed Nov 21 23:40:45 2012
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4D6121F8824 for <websec@ietfa.amsl.com>; Wed, 21 Nov 2012 23:40:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.299
X-Spam-Level: 
X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJbytCMIHJmR for <websec@ietfa.amsl.com>; Wed, 21 Nov 2012 23:40:45 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id A3A2021F872D for <websec@ietf.org>; Wed, 21 Nov 2012 23:40:44 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qAM7edmD015918; Thu, 22 Nov 2012 09:40:39 +0200
X-CheckPoint: {50ADD397-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.194]) by IL-EX10.ad.checkpoint.com ([169.254.2.194]) with mapi id 14.02.0318.004; Thu, 22 Nov 2012 09:40:39 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "<ryan-ietfhasmat@sleevi.com>" <ryan-ietfhasmat@sleevi.com>
Thread-Topic: [websec] Issue #53 - Clarify status of pin validation when used with private trust anchors
Thread-Index: AQHNyDCCC7tisBFlqEKwaMuz+22tG5f043WAgABtaAA=
Date: Thu, 22 Nov 2012 07:40:38 +0000
Message-ID: <4613980CFC78314ABFD7F85CC302772101E8A8@IL-EX10.ad.checkpoint.com>
References: <4613980CFC78314ABFD7F85CC302772101E042@IL-EX10.ad.checkpoint.com> <77ae8817edac8638b9ebf63b1f9ce6fb.squirrel@webmail.dreamhost.com>
In-Reply-To: <77ae8817edac8638b9ebf63b1f9ce6fb.squirrel@webmail.dreamhost.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [91.90.139.66]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11fabee777a2e970584b3286dfb2d6df24f7db8561
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <94E82F1BE0F9FE48B6571FF11C6EF6C4@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Issue #53 - Clarify status of pin validation when used with private trust anchors
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2012 07:40:45 -0000

On Nov 22, 2012, at 2:45 AM, Ryan Sleevi <ryan-ietfhasmat@sleevi.com> wrote=
:

> On Wed, November 21, 2012 1:38 pm, Yoav Nir wrote:
>> Hi
>>=20
>> During the meeting in Atlanta I said that saying that that pin validatio=
n
>> is disabled when the cert chains to a private trust anchor would not go
>> over well, because it's disabling a security feature in the presence of =
an
>> attack. I still think so, but I think we can raise less red flags if we
>> just describe what the issue is - that there is a TLS proxy.
>>=20
>> I don't have suggested text, at least yet, but here's how I think the
>> issue can be addressed. Keep in mind that we're not writing a design for
>> any particular browser.
>>=20
>> =3D=3D=3D
>> On some networks, mostly corporate networks, there are TLS proxies,
>> transparent proxies that sign certificates on behalf of visited web site=
s
>> as described in [ref]. When a UA gets into such a network, the certifica=
te
>> presented in the TLS handshake will not be consistent with the UA's
>> previously stored pins.
>>=20
>> It is up to the UA to decide whether such a TLS proxy is acceptable or
>> not. If it is acceptable, then pinning should be disabled, and the UA
>> should not follow the mandates in section 2.4 of this document. Ideally,
>> such proxies, or their associated trust anchors would be specially marke=
d
>> as trusted for this purpose. If the UA does not allow for such a
>> configuration, a heuristic MAY be used to determine what trust anchors a=
re
>> used for a legitimate TLS proxy. One such heuristic, is that all trust
>> anchors that are not part of the stock trust anchor store that comes wit=
h
>> the UA or the operating system, but that are in the trust anchor store
>> (implying that they have been added by the user) are acceptable for TLS
>> proxies.
>> =3D=3D=3D
>>=20
>> I think this defuses the issue. What do others think?
>=20
> The wording suggests that it's primarily a network layer 'attacker', whic=
h
> somehow raises the spectre of RFC 1984 (unfairly, I think), but we also
> see TLS proxies that are entirely local to clients' machines - for
> example, Antivirus Software that installs a Winsock LSP.

OK, but clients that share a machine with software like that can never ever=
 verify pins. I don't think we really need to talk about them.

> I'm still working with Chris Palmer to find suitable language to propose
> on this, but we've been looking at ways to define this processing in term=
s
> of "client policy" that may supercede or disregard the the Pinning
> Metadata for a Known Pinned Host, to be incorporated into Section 2.4.
> (Validating Pinned Connections)

Looking forward to seeing this.


>> One other suggestion that was brought up in Atlanta, was to have the
>> server specify a policy about private trust anchors in the Public-Key-Pi=
ns
>> header, something like:
>>=20
>>    Public-Key-Pins: max-age=3D500; policy=3Dstrict;
>>        pin-sha1=3D"4n972HfV354KP560yw4uqe/baXc=3D";
>>        pin-sha1=3D"IvGeLsbqzPxdI0b0wuj2xVTdXgc=3D"
>>=20
>>    Public-Key-Pins: max-age=3D31536000; policy=3Daccept_private;
>>        pin-sha1=3D"4n972HfV354KP560yw4uqe/baXc=3D";
>>        pin-sha256=3D"LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=3D"
>>=20
>>=20
>> In case of policy=3Dstrict, the UA will not accept any handshake that
>> disagrees with stored pins. This might be preferred by some servers, tha=
t
>> are willing to accept not being accessible from all networks for the
>> benefit of preventing MitM attacks. What do others think about this idea=
?
>=20
> Given HPKP's shared history with HSTS, and as discussed during Atlanta,
> one of the things we were looking at was ensuring the ABNF grammar was
> consistent with the grammar that was decided for HSTS. In particular, the
> ABNF grammar should NOT specify all of individual tokens, but instead
> define the set of directives, to allow new directives to be added.
>=20
> This ABNF looks as such:
>=20
> Public-Key-Pins  =3D "Public-Key-Pins" ":" [ directive ] *( ";" [ directi=
ve ] )
>=20
> directive        =3D simple-directive
>                   / pin-directive
>=20
> simple-directive =3D directive-name [ "=3D" directive-value ]
> directive-name   =3D token
> directive-value  =3D token | quoted-string
>=20
> pin-directive    =3D "pin-" token "=3D" quoted-string
>=20
>=20
> With the above grammar, and given that HPKP's threat model is primarily
> motivated by allowing site operators to defend against certificate
> misissuance from CAs trusted by the client, we're proposing that 'strict'
> be added (as a simple-directive). The absence of 'strict' implies that th=
e
> UA is permitted to allow client local policy to override the directive,
> while the presence of 'strict' implies that the header should be
> interpreted exactly as it is supplied.
>=20
> The reasoning to making the default open, rather than closed, is that we
> anticipate that 'strict' is not the primary or default mode that sites
> intend to operate in (since client policy is a known-unknown from the
> perspective of site operators), so this is primarily an ease-of-use
> feature.
>=20
> I think your proposal to use a policy directive with a set of known value
> strings may also work, but my fear is that it would just end up with most
> servers sending "policy=3Daccept_private" to be safe, which seems like bo=
th
> a sharp edge to find and perhaps more bytes than needed.

Got me convinced. And I agree that there will be very few sites that actual=
ly use "strict", unless some auditor or PCI decide that this is a good idea=
. And even if they did, they'd get a lot of pushback, because this actually=
 makes the website works in fewer places. This is not the same as mandating=
 RC4 for fear of the BEAST.

Yoav=

From hallam@gmail.com  Thu Nov 22 08:58:58 2012
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FC6621F8764 for <websec@ietfa.amsl.com>; Thu, 22 Nov 2012 08:58:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.492
X-Spam-Level: 
X-Spam-Status: No, score=-3.492 tagged_above=-999 required=5 tests=[AWL=-1.134, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQSTJvEXZ09K for <websec@ietfa.amsl.com>; Thu, 22 Nov 2012 08:58:56 -0800 (PST)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 8450C21F8756 for <websec@ietf.org>; Thu, 22 Nov 2012 08:58:56 -0800 (PST)
Received: by mail-vb0-f44.google.com with SMTP id fc26so608899vbb.31 for <websec@ietf.org>; Thu, 22 Nov 2012 08:58:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Y4pLzp7w84cBbN565vvvDs2M4y0uzH4N+91aOC8pwSM=; b=tP1oqNArwut2wLH7oJX8+eF64wftym0PQOHsVCu8HrDmAVJWlKKZBRxWeSAolyF+4l So8X6reYcFtTyikkJBu8L3SIadw2NK5QKS6Ck94qpEUHs8NZ4bcKaGovHapiFsLlNhaM k/Cf0d0oFt5Kg76mhCdytNcUXmRJcHwwWxl95bNHA7NV/M8UUn6DdgYREW0aSqC7l0Zh AJIqdxJMQ7tw6Qkl+aNKl04DcjGk/XuCl1OkDqv+kK5d+E6oIZMyFDJLPB81aTFBpBwx tjMb5ELIaPpvQSY9dWCcqPwr08fU9vMvz4sXJbaE4UBT93HIExzcy605/Dm8uvJct8wX M/kQ==
MIME-Version: 1.0
Received: by 10.52.22.240 with SMTP id h16mr1526710vdf.82.1353603535749; Thu, 22 Nov 2012 08:58:55 -0800 (PST)
Received: by 10.58.19.130 with HTTP; Thu, 22 Nov 2012 08:58:55 -0800 (PST)
In-Reply-To: <4B59D185-7F74-442B-B0F3-5122E1C2498D@gmx.net>
References: <CAMm+Lwh2c4NsHErsbsf3awJn8kt3V1D_KAo7fOW_oSsHA-_BvA@mail.gmail.com> <4B59D185-7F74-442B-B0F3-5122E1C2498D@gmx.net>
Date: Thu, 22 Nov 2012 11:58:55 -0500
Message-ID: <CAMm+Lwgfk0BA-7_iKBJytJhTJRkb5J=O+C+NmCdF-pcVt1q-eQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=20cf3079bb0aea418104cf18618e
Cc: websec <websec@ietf.org>
Subject: Re: [websec] HTTP Integrity header / Session Continuation scheme
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2012 16:58:58 -0000

--20cf3079bb0aea418104cf18618e
Content-Type: text/plain; charset=ISO-8859-1

No, I am not re-inventing OAuth any more than they are re-inventing Digest.

OAuth like all the rest of the Web Authentication schemes (yeah I know they
claim to only do AuthZ but that was a necessary fiction) has to fight with
the fact that HTTP infrastructure is not adapted well. So the scheme is
split over three layers.


On Fri, Nov 16, 2012 at 9:41 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Phillip,
>
> you are re-inventing OAuth. In your draft you have pretty much written a
> copy of http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00
>
> You also include a MAC over the HTTP body. Folks in the OAuth community
> tried that as well and it did not work out too well since intermediaries
> mess around with the body.
> You also have to selectively cover the header field and the
> canonicalization has caused problems for developers.
>

SCREW INTERMEDIARIES

This is designed for authentication binding in Web Services. Those almost
never go through an intermediary except for purposes of bypassing firewalls.

In this case the desired behavior is to BREAK if the contents are tampered
with. The whole point is to detect modification by a MITM. If a proxy
changes a linebreak then the desired behavior is BREAK the protocol.

Yes, people who put up broken intermediaries are going to break protocols.
But that does not mean that we should drop requirements that are essential
in some environments.



> The MAC of only the headers unfortunately does not provide a lot of great
> properties for the security of the overall application solution since the
> valuable stuff is in the body.
>

Agreed, but there are cases where content is carried in headers in Web
Services.



> I believe that a solution that uses TLS is better, as Google is proposing,
> since it covers the entire communication (including confidentiality
> protection) and the TLS Record Layer itself does not lead to a huge
> computational overhead. The heavy part is the authentication and key
> exchange.
>

I don't think 'Google' is proposing anything, its individual participation,
remember. What they were proposing in HTTP-Bis was to use TLS all the time
so that they could avoid the need to think about intermediaries polluting
the channel. I think that is a perfectly sensible solution to the
intermediary problem but still does not address the problem of dealing with
Authorization at the transport layer.

TLS is useful but it hasn't got a viable client auth story and the binding
of TLS auth to the HTTP layer is really problematic.

Channel binding helps to an extent, but it still leaves the client auth
mechanism flapping in the breeze. What applications like Web Services would
have to do to use TLS is to bury their client credentials into the TLS
layer through APIs that mostly don't exist and then the servers would have
to fish them out - fighting the fact that in many cases the server end of
the TLS session terminates before the Web Service server (inescapable in
two and three tier server architectures).





> Ciao
> Hannes
>
> On Nov 14, 2012, at 8:53 PM, Phillip Hallam-Baker wrote:
>
> > There is a new draft at:
> > http://tools.ietf.org/html/draft-hallambaker-httpintegrity-02
> >
> > One of the biggest holes in the Web Security scheme is the fact that
> cookies end up being used as bearer tokens and this is a very, very bad
> idea. It leads to all sorts of cookie stealing schemes which are very hard
> to deal with because while the HTTP stack is simple, the Web stack of HTTP
> + HTML + JavaScript + Random plugins is very complicated and many parts
> were originally designed by people who didn't know what the rest did.
> >
> > While we cannot move to eliminate cookies overnight, there are some
> companies with affiliate schemes that are loosing seven or eight figure
> sums each year in affiliate fraud. If even one of the major browsers
> supported a mechanism that prevented cookie stealing, they would see an
> instant return.
> >
> >
> > The scheme described in the draft is NOT an authentication scheme,
> rather it describes one small part of the authentication scheme, the part
> that allows an authentication/authorization context established in one
> protocol exchange to be continued into further transactions.
> >
> > The mechanism by which the authentication context is established is
> outside the scope of the draft because that is an area where there can be a
> lot of useful variation. If an organization has a Kerberos server or SAML
> infrastructure already then it makes sense to use those. There is never
> going to be a single canonical means of managing user credentials or
> presenting/validating them.
> >
> > But when you look at how a good authentication mechanism continues on
> from the point the session has been established it pretty much boils down
> to some form of identifier to specify the session and some sort of shared
> secret used to create a result that authenticates the session. We can add
> in additional information such as nonces and time values and counters and
> the like to prevent replay attacks but these are generic mechanisms that
> can be used to the same effect whether we used Kerberos, OpenID, SAML or
> some newfangled scheme to set up the context.
> >
> >
> > I am not quite sure where this would be best progressed. In the short
> term I was thinking of applying for a provisional HTTP header assignment so
> that I can start using it in the Web Service protocol I am writing
> (omnibroker). But right now the scheme could fit in WebSec or could fit in
> HTTPbis or even the proposed Web Authentication WG.
> >
> > Regardless of where the work ends up, I think it is clear that if we are
> going to specify any new HTTP authentication schemes we are going to end up
> addressing the issue of session continuation somewhere and that the
> eventual solution needs to be reviewed by the people in all three places
> (if they are distinct persons).
> >
> >
> > --
> > Website: http://hallambaker.com/
> >
> > _______________________________________________
> > websec mailing list
> > websec@ietf.org
> > https://www.ietf.org/mailman/listinfo/websec
>
>


-- 
Website: http://hallambaker.com/

--20cf3079bb0aea418104cf18618e
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

No, I am not re-inventing OAuth any more than they are re-inventing Digest.=
<div><br></div><div>OAuth like all the rest of the Web Authentication schem=
es (yeah I know they claim to only do AuthZ but that was a necessary fictio=
n) has to fight with the fact that HTTP infrastructure is not adapted well.=
 So the scheme is split over three layers.<br>
<div><br><br><div class=3D"gmail_quote">On Fri, Nov 16, 2012 at 9:41 AM, Ha=
nnes Tschofenig <span dir=3D"ltr">&lt;<a href=3D"mailto:hannes.tschofenig@g=
mx.net" target=3D"_blank">hannes.tschofenig@gmx.net</a>&gt;</span> wrote:<b=
r><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex">
Phillip,<br>
<br>
you are re-inventing OAuth. In your draft you have pretty much written a co=
py of <a href=3D"http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00=
" target=3D"_blank">http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac=
-00</a><br>

<br>
You also include a MAC over the HTTP body. Folks in the OAuth community tri=
ed that as well and it did not work out too well since intermediaries mess =
around with the body.<br>
You also have to selectively cover the header field and the canonicalizatio=
n has caused problems for developers.<br></blockquote><div><br></div><div>S=
CREW INTERMEDIARIES</div><div><br></div><div>This is designed for authentic=
ation binding in Web Services. Those almost never go through an intermediar=
y except for purposes of bypassing firewalls.</div>
<div><br></div><div>In this case the desired behavior is to BREAK if the co=
ntents are tampered with. The whole point is to detect modification by a MI=
TM. If a proxy changes a linebreak then the desired behavior is BREAK the p=
rotocol.</div>
<div><br></div><div>Yes, people who put up broken intermediaries are going =
to break protocols. But that does not mean that we should drop requirements=
 that are essential in some environments.</div><div><br></div><div>=A0</div=
>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
The MAC of only the headers unfortunately does not provide a lot of great p=
roperties for the security of the overall application solution since the va=
luable stuff is in the body.<br></blockquote><div><br></div><div>Agreed, bu=
t there are cases where content is carried in headers in Web Services.</div=
>
<div><br></div><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I believe that a solution that uses TLS is better, as Google is proposing, =
since it covers the entire communication (including confidentiality protect=
ion) and the TLS Record Layer itself does not lead to a huge computational =
overhead. The heavy part is the authentication and key exchange.<br>
</blockquote><div><br></div><div>I don&#39;t think &#39;Google&#39; is prop=
osing anything, its individual participation, remember. What they were prop=
osing in HTTP-Bis was to use TLS all the time so that they could avoid the =
need to think about intermediaries polluting the channel. I think that is a=
 perfectly sensible solution to the intermediary problem but still does not=
 address the problem of dealing with Authorization at the transport layer.<=
/div>
<div><br></div><div>TLS is useful but it hasn&#39;t got a viable client aut=
h story and the binding of TLS auth to the HTTP layer is really problematic=
.</div><div><br></div><div>Channel binding helps to an extent, but it still=
 leaves the client auth mechanism flapping in the breeze. What applications=
 like Web Services would have to do to use TLS is to bury their client cred=
entials into the TLS layer through APIs that mostly don&#39;t exist and the=
n the servers would have to fish them out - fighting the fact that in many =
cases the server end of the TLS session terminates before the Web Service s=
erver (inescapable in two and three tier server architectures).</div>
<div><br></div><div><br></div><div><br></div><div>=A0</div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pad=
ding-left:1ex">
Ciao<br>
Hannes<br>
<div><div class=3D"h5"><br>
On Nov 14, 2012, at 8:53 PM, Phillip Hallam-Baker wrote:<br>
<br>
&gt; There is a new draft at:<br>
&gt; <a href=3D"http://tools.ietf.org/html/draft-hallambaker-httpintegrity-=
02" target=3D"_blank">http://tools.ietf.org/html/draft-hallambaker-httpinte=
grity-02</a><br>
&gt;<br>
&gt; One of the biggest holes in the Web Security scheme is the fact that c=
ookies end up being used as bearer tokens and this is a very, very bad idea=
. It leads to all sorts of cookie stealing schemes which are very hard to d=
eal with because while the HTTP stack is simple, the Web stack of HTTP + HT=
ML + JavaScript + Random plugins is very complicated and many parts were or=
iginally designed by people who didn&#39;t know what the rest did.<br>

&gt;<br>
&gt; While we cannot move to eliminate cookies overnight, there are some co=
mpanies with affiliate schemes that are loosing seven or eight figure sums =
each year in affiliate fraud. If even one of the major browsers supported a=
 mechanism that prevented cookie stealing, they would see an instant return=
.<br>

&gt;<br>
&gt;<br>
&gt; The scheme described in the draft is NOT an authentication scheme, rat=
her it describes one small part of the authentication scheme, the part that=
 allows an authentication/authorization context established in one protocol=
 exchange to be continued into further transactions.<br>

&gt;<br>
&gt; The mechanism by which the authentication context is established is ou=
tside the scope of the draft because that is an area where there can be a l=
ot of useful variation. If an organization has a Kerberos server or SAML in=
frastructure already then it makes sense to use those. There is never going=
 to be a single canonical means of managing user credentials or presenting/=
validating them.<br>

&gt;<br>
&gt; But when you look at how a good authentication mechanism continues on =
from the point the session has been established it pretty much boils down t=
o some form of identifier to specify the session and some sort of shared se=
cret used to create a result that authenticates the session. We can add in =
additional information such as nonces and time values and counters and the =
like to prevent replay attacks but these are generic mechanisms that can be=
 used to the same effect whether we used Kerberos, OpenID, SAML or some new=
fangled scheme to set up the context.<br>

&gt;<br>
&gt;<br>
&gt; I am not quite sure where this would be best progressed. In the short =
term I was thinking of applying for a provisional HTTP header assignment so=
 that I can start using it in the Web Service protocol I am writing (omnibr=
oker). But right now the scheme could fit in WebSec or could fit in HTTPbis=
 or even the proposed Web Authentication WG.<br>

&gt;<br>
&gt; Regardless of where the work ends up, I think it is clear that if we a=
re going to specify any new HTTP authentication schemes we are going to end=
 up addressing the issue of session continuation somewhere and that the eve=
ntual solution needs to be reviewed by the people in all three places (if t=
hey are distinct persons).<br>

&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Website: <a href=3D"http://hallambaker.com/" target=3D"_blank">http://=
hallambaker.com/</a><br>
&gt;<br>
</div></div>&gt; _______________________________________________<br>
&gt; websec mailing list<br>
&gt; <a href=3D"mailto:websec@ietf.org">websec@ietf.org</a><br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/websec" target=3D"_bl=
ank">https://www.ietf.org/mailman/listinfo/websec</a><br>
<br>
</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Website: <a =
href=3D"http://hallambaker.com/">http://hallambaker.com/</a><br><br>
</div></div>

--20cf3079bb0aea418104cf18618e--

From hallam@gmail.com  Thu Nov 22 09:21:10 2012
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A479321F85A1 for <websec@ietfa.amsl.com>; Thu, 22 Nov 2012 09:21:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.082
X-Spam-Level: 
X-Spam-Status: No, score=-4.082 tagged_above=-999 required=5 tests=[AWL=-0.484, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZcwugsgEmAib for <websec@ietfa.amsl.com>; Thu, 22 Nov 2012 09:21:10 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5D70A21F8584 for <websec@ietf.org>; Thu, 22 Nov 2012 09:21:09 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id fw7so6975498vcb.31 for <websec@ietf.org>; Thu, 22 Nov 2012 09:21:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=25BQzK7HhhxhTTxhGezYBGMFFxsKY0qtZmn7his1TJk=; b=yevCR+AIrf6grNCjAJFVGVRBu15PMAMz9yZoh6aAWUjKCxHbkSZa1ijoCkdbUKKqRP dMeNf3iNFWs/7kHV0fVz3sOcQ2N+MesuMnRFuoM5S/H8pLUQzA4mB2/ET3aomk6CmETp V8a48lHXxKLrSO542cZG6s3GL+WAgR2NYtrqXC4Vr+k7VR9TZ/9ebAkjJ82Ugi9J8JkY JisB/U3rSSl0+oWaRfTz8NMQKVsjtWxth2KVEtN3jOSeK7XL/NuzhpVv2JpmlZZR56Gi lWuTlgzpsrnCHJe3i6iIDEhibv0V7+J9rH3TWLIM4ACpSzkKdlrnIK/z5OyAdvnUXJ1b 2Wzg==
MIME-Version: 1.0
Received: by 10.220.241.141 with SMTP id le13mr1855494vcb.26.1353604868149; Thu, 22 Nov 2012 09:21:08 -0800 (PST)
Received: by 10.58.19.130 with HTTP; Thu, 22 Nov 2012 09:21:08 -0800 (PST)
In-Reply-To: <4B59D185-7F74-442B-B0F3-5122E1C2498D@gmx.net>
References: <CAMm+Lwh2c4NsHErsbsf3awJn8kt3V1D_KAo7fOW_oSsHA-_BvA@mail.gmail.com> <4B59D185-7F74-442B-B0F3-5122E1C2498D@gmx.net>
Date: Thu, 22 Nov 2012 12:21:08 -0500
Message-ID: <CAMm+Lwi28i3rg0c9zJ=ajRjqYXxtwVStkuEDBcX2t4t9TnoQZw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=14dae9cdc32b55122904cf18b16a
Cc: websec <websec@ietf.org>
Subject: Re: [websec] HTTP Integrity header / Session Continuation scheme
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2012 17:21:10 -0000

--14dae9cdc32b55122904cf18b16a
Content-Type: text/plain; charset=ISO-8859-1

I can implement all the features describes in the OAUTH-MAC draft in my
scheme but I don't think the reverse is true.

The idea here is that we take out the session continuation component and
make it a single common feature that OAUTH, OpenID, SAML and Web Services
authentication schemes can all share so that we have one way to do it for
all HTTP schemes.

Designing in the context of OAUTH only leads to a scheme that is difficult
to then apply as a generic. There are two problems to be addressed in a
session continuation mechanism, one is which parts of the message (if any)
should be covered by the authentication mechanism and second how to prevent
replay attacks. Which choices you take are going to depend on which
particular authentication problem to solve.


If what we are trying to do here is to simply replace bearer token cookies
with something less disastrous then we are not going to want to have any
authentication binding to the content at all so that we avoid the problem
of intermediaries raised by Hannes etc. We are going to be concerned about
replay attacks though and probably want to ensure that the solution is
stateless at the server.

If what we are doing is looking to replace the SOAP/WS-Security stack then
we are going to want a MAC over the message contents and probably the
request URI as well. Replay attack might not be a concern then because we
might prefer to do that in the application layer or if we do it in the HTTP
layer we probably don't care much about the overhead of per connection
state.

--14dae9cdc32b55122904cf18b16a
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div>I can implement all the features describes in the OAUTH-MAC draft in m=
y scheme but I don&#39;t think the reverse is true.</div><div><br></div><di=
v>The idea here is that we take out the session continuation component and =
make it a single common feature that OAUTH, OpenID, SAML and Web Services a=
uthentication schemes can all share so that we have one way to do it for al=
l HTTP schemes.</div>
<div><br></div><div>Designing in the context of OAUTH only leads to a schem=
e that is difficult to then apply as a generic. There are two problems to b=
e addressed in a session continuation mechanism, one is which parts of the =
message (if any) should be covered by the authentication mechanism and seco=
nd how to prevent replay attacks. Which choices you take are going to depen=
d on which particular authentication problem to solve.</div>
<div><br></div><div><br></div><div>If what we are trying to do here is to s=
imply replace bearer token cookies with something less disastrous then we a=
re not going to want to have any authentication binding to the content at a=
ll so that we avoid the problem of intermediaries raised by Hannes etc. We =
are going to be concerned about replay attacks though and probably want to =
ensure that the solution is stateless at the server.</div>
<div><br></div><div>If what we are doing is looking to replace the SOAP/WS-=
Security stack then we are going to want a MAC over the message contents an=
d probably the request URI as well. Replay attack might not be a concern th=
en because we might prefer to do that in the application layer or if we do =
it in the HTTP layer we probably don&#39;t care much about the overhead of =
per connection state.</div>

--14dae9cdc32b55122904cf18b16a--