Re: HSTS Fingerprinting. from Martin Thomson on 2019-10-10 (ietf-http-wg@w3.org from October to December 2019)

From: Martin Thomson <mt@lowentropy.net>
Date: Thu, 10 Oct 2019 13:15:34 +1100
To: ietf-http-wg@w3.org
Message-Id: <ee92700c-590a-4030-a326-07857059536d@www.fastmail.com>

This isn't consensus, but I agree with draft-roach-bis-documents on this subject.  A wholesale replacement can just fix the bits that need fixing.  We do our readership a disservice every time we ship a monkey-patch specification.

On Tue, Oct 8, 2019, at 10:46, Jeff Hodges wrote:
> [ just us ]
> 
> ah, ok, something to chat about on Wed -- ie, are you thinking a 
> monkey-patch of rfc6797 or an entire updated spec, or ...?
> 
> 
> 
> On Mon, Oct 7, 2019 at 4:48 AM Mike West <mkwst@google.com> wrote:
> > Ok, thanks Mark. I'll aim to have an ID up by whenever the Singapore cutoff turns out to be.
> > 
> > -mike
> > 
> > 
> > On Thu, Oct 3, 2019 at 7:59 AM Mark Nottingham <mnot@mnot.net> wrote:
> >> Hey Mike,
> >> 
> >>  I wouldn't treat the silence as indicative of disinterest.
> >> 
> >>  Would you be willing to write up a short draft explaining your proposal and submit it for discussion in Singapore (presenting remotely if necessary)? Even if you decide not to do it here, I suspect you'll be able to reuse the markdown...
> >> 
> >>  Cheers,
> >> 
> >> 
> >>  > On 1 Oct 2019, at 11:47 pm, Mike West <mkwst@google.com> wrote:
> >>  > 
> >>  > Ping!
> >>  > 
> >>  > If this group doesn't feel any particular ownership, I'm happy to try to define some web browsery behavior in W3C/WHATWG. If y'all would prefer an RFC6797bis, great!
> >>  > 
> >>  > -mike
> >>  > 
> >>  > 
> >>  > On Wed, Sep 18, 2019 at 3:10 AM Mike West <mkwst@google.com> wrote:
> >>  > A year or two ago, +John Wilander and others at Apple proposed some changes to HSTS in https://webkit.org/blog/8146/protecting-against-hsts-abuse/ that went some way towards mitigating the abuses documented in Section 14.9 of RFC6797. Given some shifts in the way we're thinking about some other concepts, I've written up a short proposal at https://github.com/mikewest/strict-navigation-security that builds upon and simplifies Apple's proposal. We discussed it briefly at yesterday's webappsec meeting, and there seems to be interest in doing something in this space.
> >>  > 
> >>  > +Mark Nottingham and +Jeff Hodges suggested that I loop this group into that conversation, as the original websec group has disbanded. Is it a topic this group would like to pick up? If not, would y'all be comfortable with us defining some web browser behavior/Fetch integration in webappsec that constrains the existing RFC?
> >>  > 
> >>  > Thanks!
> >>  > 
> >>  > -mike
> >> 
> >>  --
> >>  Mark Nottingham https://www.mnot.net/
> >> 
> 
> 
> -- 
> Thanks, HTH,
> 
> =JeffH

Received on Thursday, 10 October 2019 02:15:58 UTC