On 11/19/2012 5:18 AM, Stephane Bortzmeyer wrote:
I vaguely remember that there was an Internet-Draft about declaring,
in the DNS, that a HTTP server MUST be accessed only by HTTPS. But I
cannot find it, either with the Datatracker or with Google. Any
pointer?
The closest you're likely to find that is in
http://tools.ietf.org/id/draft-jennings-http-srv-05.txt draft (expired),
where an HTTPS SRV record might be published for a given site, but no
equivalent HTTP SRV record. That would implicitly be a "declaration"
that only HTTPS was supported for the site. Honestly though, I foresee
that even if SRV record lookup is adopted by the browser community, for
many years after that, browsers will continue to fall back to
non-SRV-based connection methods. So the absence of an HTTP SRV record
is not likely to prevent many HTTP connection attempts in the short to
medium term.
(I know about draft-ietf-websec-strict-transport-sec, which is a HTTP
solution, I'm looking for a DNS one.)
Despite what the Wikipedia page says, that ID doesn't really define a
"declaration" that HTTPS is preferred over HTTP as the transport to be
used for accessing a given web host. The use of HTTPS is *assumed*,
throughout the ID, in order for the mechanisms defined therein to occur,
e.g. the use of the special "Strict-Transport-Security" HTTP header. The
only major reference to non-secure HTTP is a generic recommendation
("SHOULD") to perform a 301 redirect from HTTP to HTTPS (which hardly
needs an ID callout, since it's _de_facto_ standard anyway). The ID does
make reference to a possible "HSTS Pre-Loaded List", i.e. a list of
sites that a browser would know _a_priori_ to implement HSTS, but there
is no automated mechanism defined to publish/distribute that list, other
than a vague suggestion (Section 12.3) that site owners and browser
implementors get together to bake the list into the software "at the
factory".
- Kevin
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
