On 01/02/2012 00:27, =JeffH wrote:
Alexey pointed out to me..
Hi Jeff,
BTW, you moved lots of references to Informational (e.g. all IDNA
related), I think this is incorrect - their understanding is
required in
order to implement HSTS correctly.
So, yes, I did (ruthlessly) move a ton of references to Informational.
I wanted to pare down the Normative references to the absolutely
necessary ones.
Wrt IDNA refs, I'm happy to move them back to Normative if that's what
folks think. Note that in typical implementations, all the IDN
normalizations have occurred before getting to the actual HSTS
implementation. there's this text in Section 8. User Agent Processing
Model...
This processing model assumes that the UA implements IDNA2008
[RFC5890], or possibly IDNA2003 [RFC3490], as noted in Section 13
Internationalized Domain Names for Applications (IDNA): Dependency
and Migration. It also assumes that all domain names manipulated in
this specification's context are already IDNA-canonicalized as
outlined in Section 9 Domain Name IDNA-Canonicalization prior to
the processing specified in this section.
The above assumptions mean that this processing model also
specifically assumes that appropriate IDNA and Unicode validations
and character list testing have occurred on the domain names, in
conjunction with their IDNA-canonicalization, prior to the processing
specified in this section. See the IDNA-specific security
considerations in Section 14.8 Internationalized Domain Names for
rationale and further details.
So, if folks indeed wish IDN refs to be Normative, I'll move 'em back.
You have normative (RFC 2119) language about use of IDN related
specifications in the document, IESG statement on normative/informative
references apply:
http://www.ietf.org/iesg/statement/normative-informative.html.
Also please point out any other refs y'all think should be in the
Normative section but aren't.
thanks,
=JeffH
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
