From nobody Mon May 4 23:02:26 2015 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E78A1B2E57 for ; Mon, 4 May 2015 23:02:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.912 X-Spam-Level: X-Spam-Status: No, score=-106.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hQgspca6Z_V for ; Mon, 4 May 2015 23:02:21 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) by ietfa.amsl.com (Postfix) with ESMTP id D336C1B2E46 for ; Mon, 4 May 2015 23:02:21 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id DDA0B180092; Mon, 4 May 2015 23:01:01 -0700 (PDT) To: cevans@google.com, palmer@google.com, sleevi@google.com, barryleiba@computer.org, tobias.gondrom@gondrom.org, ynir.ietf@gmail.com X-PHP-Originating-Script: 6000:errata_mail_lib.php From: RFC Errata System Message-Id: <20150505060101.DDA0B180092@rfc-editor.org> Date: Mon, 4 May 2015 23:01:01 -0700 (PDT) Archived-At: Cc: kirit@felspar.com, websec@ietf.org, rfc-editor@rfc-editor.org Subject: [websec] [Technical Errata Reported] RFC7469 (4354) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2015 06:02:23 -0000 The following errata report has been submitted for RFC7469, "Public Key Pinning Extension for HTTP". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=7469&eid=4354 -------------------------------------- Type: Technical Reported by: Kirit Saelensminde Section: 3 Original Text ------------- As in Section 2.4, the token refers to the algorithm name, and the quoted-string refers to the base64 encoding of the SPKI Fingerprint. When formulating the JSON POST body, the UA MUST either use single- quoted JSON strings or use double-quoted JSON strings and backslash- escape the embedded double quotes in the quoted-string part of the known-pin. .... 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="', Corrected Text -------------- As in Section 2.4, the token refers to the algorithm name, and the quoted-string refers to the base64 encoding of the SPKI Fingerprint. When formulating the JSON POST body, the UA MUST use double-quoted JSON strings and backslash-escape the embedded double quotes in the quoted-string part of the known-pin. .... "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"", Notes ----- This RFC seems to think that single quotes are permissible in JSON. This is not the case. See http://tools.ietf.org/html/rfc7159#section-7 Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC7469 (draft-ietf-websec-key-pinning-21) -------------------------------------- Title : Public Key Pinning Extension for HTTP Publication Date : April 2015 Author(s) : C. Evans, C. Palmer, R. Sleevi Category : PROPOSED STANDARD Source : Web Security Area : Applications Stream : IETF Verifying Party : IESG From nobody Tue May 5 04:30:07 2015 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53BC81A8A8B; Tue, 5 May 2015 04:30:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.912 X-Spam-Level: X-Spam-Status: No, score=-101.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjrlzc87-SpM; Tue, 5 May 2015 04:30:04 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) by ietfa.amsl.com (Postfix) with ESMTP id 437161A8A8E; Tue, 5 May 2015 04:30:04 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 9C266180207; Tue, 5 May 2015 04:28:43 -0700 (PDT) To: kirit@felspar.com, cevans@google.com, palmer@google.com, sleevi@google.com X-PHP-Originating-Script: 1005:errata_mail_lib.php From: RFC Errata System Message-Id: <20150505112843.9C266180207@rfc-editor.org> Date: Tue, 5 May 2015 04:28:43 -0700 (PDT) Archived-At: Cc: barryleiba@computer.org, websec@ietf.org, iesg@ietf.org, rfc-editor@rfc-editor.org Subject: [websec] [Errata Verified] RFC7469 (4354) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2015 11:30:06 -0000 The following errata report has been verified for RFC7469, "Public Key Pinning Extension for HTTP". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=7469&eid=4354 -------------------------------------- Status: Verified Type: Technical Reported by: Kirit Saelensminde Date Reported: 2015-05-04 Verified by: Barry Leiba (IESG) Section: 3 Original Text ------------- As in Section 2.4, the token refers to the algorithm name, and the quoted-string refers to the base64 encoding of the SPKI Fingerprint. When formulating the JSON POST body, the UA MUST either use single- quoted JSON strings or use double-quoted JSON strings and backslash- escape the embedded double quotes in the quoted-string part of the known-pin. .... 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="', Corrected Text -------------- As in Section 2.4, the token refers to the algorithm name, and the quoted-string refers to the base64 encoding of the SPKI Fingerprint. When formulating the JSON POST body, the UA MUST use double-quoted JSON strings and backslash-escape the embedded double quotes in the quoted-string part of the known-pin. .... "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"", Notes ----- This RFC seems to think that single quotes are permissible in JSON. This is not the case. See http://tools.ietf.org/html/rfc7159#section-7 -------------------------------------- RFC7469 (draft-ietf-websec-key-pinning-21) -------------------------------------- Title : Public Key Pinning Extension for HTTP Publication Date : April 2015 Author(s) : C. Evans, C. Palmer, R. Sleevi Category : PROPOSED STANDARD Source : Web Security Area : Applications Stream : IETF Verifying Party : IESG From nobody Wed May 6 09:43:36 2015 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A0BC1B2C61 for ; Wed, 6 May 2015 09:43:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.445 X-Spam-Level: X-Spam-Status: No, score=-1.445 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RAZOR2_CHECK=0.922, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GVYzGZpyMF28 for ; Wed, 6 May 2015 09:43:34 -0700 (PDT) Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49C291A1BE7 for ; Wed, 6 May 2015 09:43:34 -0700 (PDT) Received: from pps.filterd (m0004077 [127.0.0.1]) by mx0b-00082601.pphosted.com (8.14.5/8.14.5) with SMTP id t46Ggb8v003598 for ; Wed, 6 May 2015 09:43:33 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=facebook; bh=pcpydnLYT4uhwuJgv4wdwM0FSJGaACNOV1W9ZFbJoo8=; b=DxTNtMpHav/MsvYNEwZILGU+yt2+mDLjxhle2cxxVOR25R50fw8tJLupu6kiw7mFmgCG 9ImjHkD8ZbESMFpQRX86uxzQuwfv05iEkImJEmv3UZK02s69nT19X64vi2UiZ7FKyALK 1xcnvOEDR5H2W90LcX4zCk0dcJSYs3N1CdY= Received: from mail.thefacebook.com ([199.201.64.23]) by mx0b-00082601.pphosted.com with ESMTP id 1u7pa383xj-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Wed, 06 May 2015 09:43:33 -0700 Received: from PRN-MBX02-3.TheFacebook.com ([169.254.5.145]) by PRN-CHUB01.TheFacebook.com ([fe80::d5cc:849:f520:db6b%12]) with mapi id 14.03.0195.001; Wed, 6 May 2015 09:43:31 -0700 From: Brad Hill To: "websec@ietf.org" Thread-Topic: Call for review: Subresource Integrity Thread-Index: AdCIG6MiH2lrJHkcTLm+G+SjfpHtnA== Date: Wed, 6 May 2015 16:43:30 +0000 Message-ID: <71512C0F85CD764C8AB1CCDCA2FA4FE807CC70CF@PRN-MBX02-3.TheFacebook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.52.13] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-05-06_04:2015-05-05,2015-05-06,1970-01-01 signatures=0 Archived-At: Subject: [websec] Call for review: Subresource Integrity X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 May 2015 16:43:35 -0000 WebSec members and interested parties, The WebAppSec WG at the W3C plans to advance Subresource Integrity to Candi= date Recommendation soon and is asking for wide review of the specification= . This specification defines a mechanism by which user agents may verify that= a fetched resource has been delivered without unexpected manipulation. http://w3c.github.io/webappsec/specs/subresourceintegrity/ If you wish to make comments regarding this document, please send them to p= ublic-webappsec@w3.org with [SRI] at the start of your email's subject. All= comments are welcome. Further sharing of this call for wide review among other interested communi= ties is encouraged. Thank you, Brad Hill