W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

fyi: Strict Transport Security specification

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Fri, 18 Sep 2009 16:21:05 -0600
Message-ID: <F184CAD0C947F3418351F992AF37D7E00668A009@DEN-EXM-04.corp.ebay.com>
To: <public-webapps@w3.org>
Cc: "Hodges, Jeff" <jeff.hodges@paypal.com>, "Collin Jackson" <collin.jackson@sv.cmu.edu>, <abarth@eecs.berkeley.edu>

We wish to bring the following draft specification to your attention..

   Strict Transport Security (STS)

It specifies a refined approach to that described by Jackson and Barth in..

   ForceHTTPS: Protecting High-Security Web Sites from Network Attacks

An experimental implementation of STS will be appearing in the Google Chrome 
dev channel in the not-too-distant future..

   Google Chrome (dev channel)

Sid Stamm (of Mozilla) has a Firefox extension presently implementing
an earlier revision of this specification (a soon-to-appear v2.0 of 
the extension will implement the present spec version)..

   Force-TLS 1.0.3

Sid also discusses this approach in this blog post..

   Locking up the valuables: Opt-in security with ForceTLS

We are interested in bringing this work to W3C WebApps Working Group as a 
Recommendation-track specification. We are willing to license it under W3C 
terms, we understand that it may change due to implementer or public feedback, 
and that should it be of interest to other implementors, we're willing to 
contribute to editorial and test suite efforts.

We're looking forward to the WebApps WG's feedback and comments.


PayPal InfoSec Team

Collin Jackson
Carnegie Mellon University

Adam Barth
University of California Berkeley
Received on Sunday, 20 September 2009 15:34:30 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:18 UTC