W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2017

Re: [websec] Notes from an HSTS Meetup (Sep. 2016)

From: Eric Mill <eric.mill@gsa.gov>
Date: Fri, 20 Jan 2017 14:30:39 -0500
Message-ID: <CAC7uhV_NUo4ZrWAWLSkyvWOB=ZqP0jtVDzs8iHtbFqcCa6tSRQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Lucas Garron <lgarron@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, websec <websec@ietf.org>
On Fri, Jan 20, 2017 at 1:52 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jan 20, 2017 at 7:38 PM, Eric Mill <eric.mill@gsa.gov> wrote:
> > It's a novel approach, and potentially could serve as a model for other
> TLDs
> > or suffixes -- so if folks have any feedback or suggestions about this
> > effort, it'd be welcome and timely.
> Is the reverse not possible? Where everything .gov is HSTS, unless
> it's on an HTTP-safelist? Or would that list still be way longer?

The reverse is certainly possible, but not right away. This change
currently only includes a subset of the .gov user base -- executive branch
agencies, which currently represent ~1,100 of the total ~5,600 .gov

The .gov TLD is also used for legislative branch and judicial branch
agencies (~200 domains), as well as state, city, county, and other local
entities (~4,000 domains), as well as native tribal governments (~170
domains). (Estimates, the numbers don't add up exactly.)

If GSA at some point extends the practice to include those other entities,
it would then become feasible to tell browsers "preload *.gov, _except_ for
these X,X00 domains", where the X,X00 domains represent the existing legacy
non-preloaded .gov domains at that time across all parts of the user base.
Then the TLD could focus on just deleting legacy non-preloaded entries from
the list over time, instead of adding new entries to the list.

However, to take that kind of step, clients that use preload lists would
also need to support the idea of "carveouts". This has come up before for
second-level domains (e.g. preload "facebook.com" except for these old
subdomains), and there seemed to be pretty broad consensus that list
operators don't want to support that. It might be a different value
proposition if applied to top-level domains and public suffixes, though.

-- Eric

> --
> https://annevankesteren.nl/

Eric Mill
Senior Advisor on Technology
Technology Transformation Service, GSA
eric.mill@gsa.gov, +1-617-314-0966
Received on Sunday, 22 January 2017 17:56:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:59 UTC