Re: HSTS Fingerprinting.

Ok, thanks Mark. I'll aim to have an ID up by whenever the Singapore cutoff
turns out to be.

-mike


On Thu, Oct 3, 2019 at 7:59 AM Mark Nottingham <mnot@mnot.net> wrote:

> Hey Mike,
>
> I wouldn't treat the silence as indicative of disinterest.
>
> Would you be willing to write up a short draft explaining your proposal
> and submit it for discussion in Singapore (presenting remotely if
> necessary)? Even if you decide not to do it here, I suspect you'll be able
> to reuse the markdown...
>
> Cheers,
>
>
> > On 1 Oct 2019, at 11:47 pm, Mike West <mkwst@google.com> wrote:
> >
> > Ping!
> >
> > If this group doesn't feel any particular ownership, I'm happy to try to
> define some web browsery behavior in W3C/WHATWG. If y'all would prefer an
> RFC6797bis, great!
> >
> > -mike
> >
> >
> > On Wed, Sep 18, 2019 at 3:10 AM Mike West <mkwst@google.com> wrote:
> > A year or two ago, +John Wilander and others at Apple proposed some
> changes to HSTS in
> https://webkit.org/blog/8146/protecting-against-hsts-abuse/ that went
> some way towards mitigating the abuses documented in Section 14.9 of
> RFC6797. Given some shifts in the way we're thinking about some other
> concepts, I've written up a short proposal at
> https://github.com/mikewest/strict-navigation-security that builds upon
> and simplifies Apple's proposal. We discussed it briefly at yesterday's
> webappsec meeting, and there seems to be interest in doing something in
> this space.
> >
> > +Mark Nottingham and +Jeff Hodges suggested that I loop this group into
> that conversation, as the original websec group has disbanded. Is it a
> topic this group would like to pick up? If not, would y'all be comfortable
> with us defining some web browser behavior/Fetch integration in webappsec
> that constrains the existing RFC?
> >
> > Thanks!
> >
> > -mike
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>