Re: VeriSign feedback/comments on STS -06

2010/5/17 Henrik Nordström <>:
> A policy which is equally applicable to all protocols supporting both
> plain-text and TLS.
> HTTP, SMTP, IMAP, POP-3, LDAP, you name it.

In practice, though, this is needed most for HTTP.  Easy-to-MITM
clients rarely submit sensitive information over SMTP, IMAP, POP-3, or
LDAP, compared to HTTP.  It might be nice to adopt a solution that
works for all of these, but not if it will slow down adoption for the
biggest use-case (HTTP).  Do we even have any clients interested in
implementing this for anything other than HTTP?

> Not a problem for an DNS based approach. That would need to be done
> similar to how SRV records is done.

DNS is simply untenable until DNSSEC is reliably available.

> Yes. But also means that you via your CA certify that you fulfill STS
> requirements.

What requirements?

> CAs have to agree on including the attribute in the signed data yes.

That sounds like a needless obstacle to adoption in the HTTP case.
There are an awful lot of CAs out there.  And sites will want to
change the STS expiration a lot more than once a year, especially
while it's new and they're trying it out.  I'd expect initial
deployments to use very short expiration times to ensure they aren't
hit by any unforeseen bugs, and only move to multi-month expirations
or longer after significant testing.

Received on Tuesday, 18 May 2010 21:12:23 UTC