- From: Eric Mill <eric.mill@gsa.gov>
- Date: Fri, 20 Jan 2017 14:30:39 -0500
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Lucas Garron <lgarron@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, websec <websec@ietf.org>
- Message-ID: <CAC7uhV_NUo4ZrWAWLSkyvWOB=ZqP0jtVDzs8iHtbFqcCa6tSRQ@mail.gmail.com>
On Fri, Jan 20, 2017 at 1:52 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Jan 20, 2017 at 7:38 PM, Eric Mill <eric.mill@gsa.gov> wrote: > > It's a novel approach, and potentially could serve as a model for other > TLDs > > or suffixes -- so if folks have any feedback or suggestions about this > > effort, it'd be welcome and timely. > > Is the reverse not possible? Where everything .gov is HSTS, unless > it's on an HTTP-safelist? Or would that list still be way longer? > The reverse is certainly possible, but not right away. This change currently only includes a subset of the .gov user base -- executive branch agencies, which currently represent ~1,100 of the total ~5,600 .gov domains. The .gov TLD is also used for legislative branch and judicial branch agencies (~200 domains), as well as state, city, county, and other local entities (~4,000 domains), as well as native tribal governments (~170 domains). (Estimates, the numbers don't add up exactly.) If GSA at some point extends the practice to include those other entities, it would then become feasible to tell browsers "preload *.gov, _except_ for these X,X00 domains", where the X,X00 domains represent the existing legacy non-preloaded .gov domains at that time across all parts of the user base. Then the TLD could focus on just deleting legacy non-preloaded entries from the list over time, instead of adding new entries to the list. However, to take that kind of step, clients that use preload lists would also need to support the idea of "carveouts". This has come up before for second-level domains (e.g. preload "facebook.com" except for these old subdomains), and there seemed to be pretty broad consensus that list operators don't want to support that. It might be a different value proposition if applied to top-level domains and public suffixes, though. -- Eric > > -- > https://annevankesteren.nl/ > -- Eric Mill Senior Advisor on Technology Technology Transformation Service, GSA eric.mill@gsa.gov, +1-617-314-0966
Received on Sunday, 22 January 2017 17:56:23 UTC