HTTP Strict Transport Security (HSTS)
draft-ietf-websec-strict-transport-sec-14
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-11-15
|
14 | Ben Campbell | Request for Telechat review by GENART Completed: Ready. Reviewer: Ben Campbell. |
2012-10-04
|
14 | Tero Kivinen | Closed request for Last Call review by SECDIR with state 'No Response' |
2012-10-03
|
14 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2012-10-03
|
14 | Cindy Morgan | State changed to RFC Ed Queue from Approved-announcement sent |
2012-10-02
|
14 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2012-10-02
|
14 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2012-10-02
|
14 | (System) | IANA Action state changed to In Progress |
2012-10-02
|
14 | Amy Vezza | State changed to Approved-announcement sent from Approved-announcement to be sent |
2012-10-02
|
14 | Amy Vezza | IESG has approved the document |
2012-10-02
|
14 | Amy Vezza | Closed "Approve" ballot |
2012-10-02
|
14 | Amy Vezza | Ballot approval text was generated |
2012-10-02
|
14 | Barry Leiba | State changed to Approved-announcement to be sent from IESG Evaluation::AD Followup |
2012-09-29
|
14 | Robert Sparks | [Ballot comment] Thanks for addressing all of my comments. |
2012-09-29
|
14 | Robert Sparks | [Ballot Position Update] Position for Robert Sparks has been changed to Yes from Discuss |
2012-09-29
|
14 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2012-09-29
|
14 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-14.txt |
2012-09-27
|
13 | Cindy Morgan | State changed to IESG Evaluation::Revised ID Needed from IESG Evaluation |
2012-09-27
|
13 | Pete Resnick | [Ballot comment] 6.1: Additional directives extending the semantic functionality of the STS header field can be defined in other specifications, with a registry … [Ballot comment] 6.1: Additional directives extending the semantic functionality of the STS header field can be defined in other specifications, with a registry (having an IANA policy definition of IETF Review [RFC5226]) defined for them at such time. Is IETF Review really necessary? Seems to me "Specification Required" is more than sufficient, and I would not be completely averse to "First Come First Served". 15: Why not set up the directives registry now? |
2012-09-27
|
13 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick |
2012-09-27
|
13 | Gonzalo Camarillo | [Ballot Position Update] New position, No Objection, has been recorded for Gonzalo Camarillo |
2012-09-27
|
13 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2012-09-27
|
13 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley |
2012-09-27
|
13 | Stewart Bryant | [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant |
2012-09-27
|
13 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel |
2012-09-26
|
13 | Wesley Eddy | [Ballot Position Update] New position, No Objection, has been recorded for Wesley Eddy |
2012-09-26
|
13 | Ralph Droms | [Ballot Position Update] New position, No Objection, has been recorded for Ralph Droms |
2012-09-26
|
13 | Sean Turner | [Ballot comment] I was going to say "Well written indeed" and leave it at that but I thought s14 was outstanding. In s11.2: Maybe make … [Ballot comment] I was going to say "Well written indeed" and leave it at that but I thought s14 was outstanding. In s11.2: Maybe make this a SHOULD: Additionally, server implementers should consider employing a default max-age value of zero in their deployment configuration systems. or say: Additionally, it is RECOMMENDED that server implementers employ a default max-age value of zero in their deployment configuration systems. |
2012-09-26
|
13 | Sean Turner | [Ballot Position Update] New position, Yes, has been recorded for Sean Turner |
2012-09-26
|
13 | Brian Haberman | [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman |
2012-09-26
|
13 | Stephen Farrell | [Ballot comment] This is a very well written document. Thanks! Only comment I have is that 6.1 says that directives are optional or required according … [Ballot comment] This is a very well written document. Thanks! Only comment I have is that 6.1 says that directives are optional or required according to their definitions. Is it actually possible to define a new required directive without breaking interop with this spec? If not then I think saying that would be good. |
2012-09-26
|
13 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2012-09-25
|
13 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded for Ronald Bonica |
2012-09-25
|
13 | Robert Sparks | [Ballot discuss] I have two points that to discuss that I think will be easy to address. 1) Consider the case where a policy maker … [Ballot discuss] I have two points that to discuss that I think will be easy to address. 1) Consider the case where a policy maker or example.edu configures the server to enforce STS, and to include the "includeSubDomains" directive in the STS header field that server returns. This policy maker may think they've set policy for all the servers inside example.edu at this point, which is clearly not the case. A browser that only accessed a departmental server, say math.example.edu, would never see (so would never cache from) the response that contains the policy. Was this case discussed in the WG? Could some text be added to the document to make it more likely that the server administrator for example.edu would understand that configuring just the top level server will only cause browsers that actually access that top-level server to use STS on subdomains? 2) The document does a great job of discussing how to handle the expiration time on cached entries when setting or updating those entries (that is, when processing a response). I'm not finding any text that says an implementation should check the expiration time before _using_ a cache entry (preparing a new request). I expected to see something in 8.3 (or perhaps 8.2) calling out that expired cache entries must not be used. |
2012-09-25
|
13 | Robert Sparks | [Ballot comment] In section 14.4's first bullet, where you note "the web application will be rendered unusable for the UA's user", consider calling out this … [Ballot comment] In section 14.4's first bullet, where you note "the web application will be rendered unusable for the UA's user", consider calling out this as a reason for clients to consider providing a way for users to remove entries from the cache. Nit: In section 7.1 second paragraph "may be accomplished over the HTTP protocol" could be read to mean over an unsecure transport. |
2012-09-25
|
13 | Robert Sparks | [Ballot Position Update] New position, Discuss, has been recorded for Robert Sparks |
2012-09-25
|
13 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2012-09-20
|
13 | Jean Mahoney | Request for Telechat review by GENART is assigned to Ben Campbell |
2012-09-20
|
13 | Jean Mahoney | Request for Telechat review by GENART is assigned to Ben Campbell |
2012-09-15
|
13 | Barry Leiba | State changed to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup |
2012-09-15
|
13 | Barry Leiba | Placed on agenda for telechat - 2012-09-27 |
2012-09-15
|
13 | Barry Leiba | Ballot has been issued |
2012-09-15
|
13 | Barry Leiba | [Ballot Position Update] New position, Yes, has been recorded for Barry Leiba |
2012-09-15
|
13 | Barry Leiba | Created "Approve" ballot |
2012-09-15
|
13 | Barry Leiba | Ballot writeup was changed |
2012-09-14
|
13 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2012-09-14
|
13 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-13.txt |
2012-08-13
|
12 | Barry Leiba | State changed to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead::AD Followup |
2012-08-13
|
12 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2012-08-13
|
12 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-12.txt |
2012-08-10
|
11 | Ben Campbell | Request for Last Call review by GENART Completed: Ready. Reviewer: Ben Campbell. |
2012-07-25
|
11 | Barry Leiba | Need a revised ID to address the GenART review. |
2012-07-25
|
11 | Barry Leiba | State changed to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead |
2012-07-25
|
11 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call |
2012-07-24
|
11 | Pearl Liang | IANA has reviewed draft-ietf-websec-strict-transport-sec-11 and has the following comments: IANA has a question about the IANA Action requested in this document. Upon approval of this … IANA has reviewed draft-ietf-websec-strict-transport-sec-11 and has the following comments: IANA has a question about the IANA Action requested in this document. Upon approval of this document, IANA understands that there is a single IANA action which must be completed. In the Permanent Message Header registry located at: http://www.iana.org/assignments/message-headers/perm-headers.html a new message header will be registered as follows: Header field name: Strict-Transport-Security Applicable protocol: HTTP Status: standard Specification document(s): this one Currently the Permanent Message Header registry is maintained through expert review as defined in RFC 5226. IANA Question -> has the document been reviewed by the Permanent Message Header registry expert? IANA understands that the action above is the only action required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. |
2012-07-13
|
11 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Eric Rescorla |
2012-07-13
|
11 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Eric Rescorla |
2012-07-12
|
11 | Jean Mahoney | Request for Last Call review by GENART is assigned to Ben Campbell |
2012-07-12
|
11 | Jean Mahoney | Request for Last Call review by GENART is assigned to Ben Campbell |
2012-07-11
|
11 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Subject: Last Call: (HTTP Strict Transport Security (HSTS)) to … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Subject: Last Call: (HTTP Strict Transport Security (HSTS)) to Proposed Standard The IESG has received a request from the Web Security WG (websec) to consider the following document: - 'HTTP Strict Transport Security (HSTS)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2012-07-25. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field, and/or by other means, such as user agent configuration, for example. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/ballot/ This Proposed Standard has downrefs to the following Informational RFCs: RFC 2818, HTTP Over TLS RFC 5895, Mapping Characters for IDNA ...and a normative reference to the following obsolete RFC, which is cited alongside its replacement: RFC 3490, Internationalizing Domain Names in Applications No IPR declarations have been submitted directly on this I-D. |
2012-07-11
|
11 | Cindy Morgan | State changed to In Last Call from Last Call Requested |
2012-07-11
|
11 | Cindy Morgan | Last call announcement was changed |
2012-07-11
|
11 | Cindy Morgan | Last call announcement was generated |
2012-07-10
|
11 | Barry Leiba | Last call was requested |
2012-07-10
|
11 | Barry Leiba | Ballot approval text was generated |
2012-07-10
|
11 | Barry Leiba | State changed to Last Call Requested from AD Evaluation::AD Followup |
2012-07-10
|
11 | Barry Leiba | Last call announcement was changed |
2012-07-10
|
11 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2012-07-10
|
11 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-11.txt |
2012-07-07
|
10 | Barry Leiba | State changed to AD Evaluation::Revised ID Needed from AD Evaluation |
2012-07-06
|
10 | Barry Leiba | Last call announcement was changed |
2012-07-06
|
10 | Barry Leiba | Last call announcement was generated |
2012-07-06
|
10 | Barry Leiba | Changed protocol writeup |
2012-07-06
|
10 | Barry Leiba | Changed protocol writeup |
2012-07-06
|
10 | Barry Leiba | State changed to AD Evaluation from Publication Requested |
2012-07-06
|
10 | Barry Leiba | State changed to Publication Requested from AD is watching |
2012-07-06
|
10 | Barry Leiba | Ballot writeup was changed |
2012-07-06
|
10 | Barry Leiba | Ballot writeup was generated |
2012-07-05
|
10 | Barry Leiba | Responsible AD changed to Barry Leiba from Peter Saint-Andre |
2012-07-05
|
10 | Barry Leiba | Intended Status changed to Proposed Standard from Draft Standard |
2012-07-02
|
10 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-10.txt |
2012-06-06
|
09 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-09.txt |
2012-05-17
|
08 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-08.txt |
2012-05-02
|
07 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-07.txt |
2012-03-12
|
06 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-06.txt |
2012-03-09
|
05 | Jeff Hodges | New version available: draft-ietf-websec-strict-transport-sec-05.txt |
2012-01-27
|
04 | (System) | New version available: draft-ietf-websec-strict-transport-sec-04.txt |
2011-10-31
|
03 | (System) | New version available: draft-ietf-websec-strict-transport-sec-03.txt |
2011-10-17
|
04 | Peter Saint-Andre | Draft added in state AD is watching |
2011-08-05
|
02 | (System) | New version available: draft-ietf-websec-strict-transport-sec-02.txt |
2011-03-14
|
01 | (System) | New version available: draft-ietf-websec-strict-transport-sec-01.txt |
2011-01-05
|
00 | (System) | New version available: draft-ietf-websec-strict-transport-sec-00.txt |