W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: fyi: Strict Transport Security specification

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 18 Sep 2009 22:30:15 -0700
Message-ID: <63df84f0909182230i699cebf1gd118ad8852173a6d@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: public-webapps@w3.org, Jeff Hodges <jeff.hodges@paypal.com>, Adam Barth <abarth@eecs.berkeley.edu>, Collin Jackson <collin.jackson@sv.cmu.edu>
On Fri, Sep 18, 2009 at 6:00 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> We are interested in bringing this work to W3C WebApps Working Group as a
> Recommendation-track specification. We are willing to license it under W3C
> terms, we understand that it may change due to implementer or public
> feedback,
> and that should it be of interest to other implementors, we're willing to
> contribute to editorial and test suite efforts.
>
> We're looking forward to the WebApps WG's feedback and comments.

This definitely looks very interesting. I am admittedly a bit worried
about requests to one url to a server affecting any subsequent
requests to not just that server, but also to any subdomain.

I wonder for example if the client when receiving a
Strict-Transport-Security header should make a request to the root url
of the same origin to verify that the server indeed wants to opt in to
STS.

However, I definitely think this is a draft worth publishing in order
to reach a broader group of people for comments.

But, while I don't personally care which standards organization is in
charge of publishing this, I suspect that you'll get the feedback that
IETF is the correct place to publish this spec.

/ Jonas
Received on Saturday, 19 September 2009 05:31:14 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT