Re: [websec] Regarding RFC 6797

2018-05-22 Thread Eitan Adler
On 14 May 2018 at 08:59, Tobias Gondrom wrote: > I agree. Preload is probably the easiest way to go. > And the use case of transfer of domain ownership can not be ignored. > > Not sure whether preload really needs further standardization, after all > there are only a few browser implementations ou

Re: [websec] Regarding RFC 6797

2018-05-15 Thread Anne van Kesteren
On Tue, May 15, 2018 at 10:50 AM, Tobias Gondrom wrote: > Do you think we need for this an individual RFC or would there be any simpler > way we could achieve this? You need an RFC that updates the existing RFC as there's no other extension path provided. -- https://annevankesteren.nl/ _

Re: [websec] Regarding RFC 6797

2018-05-15 Thread Tobias Gondrom
-Original Message- From: Anne van Kesteren Sent: Monday, May 14, 2018 6:32 PM To: Tobias Gondrom Cc: Yoav Nir ; Robert Linder ; websec Subject: Re: [websec] Regarding RFC 6797 >On Mon, May 14, 2018 at 5:59 PM, Tobias Gondrom >wrote: >> I agree. Preload is probably the

Re: [websec] Regarding RFC 6797

2018-05-14 Thread Anne van Kesteren
On Mon, May 14, 2018 at 5:59 PM, Tobias Gondrom wrote: > I agree. Preload is probably the easiest way to go. > And the use case of transfer of domain ownership can not be ignored. > > Not sure whether preload really needs further standardization, after all > there are only a few browser implementa

Re: [websec] Regarding RFC 6797

2018-05-14 Thread Tobias Gondrom
] Regarding RFC 6797 On Mon, May 7, 2018 at 9:54 PM, Yoav Nir wrote: > Immutable meaning that the HSTS header is permanent and can never be > removed? So if a user agent has seen an immutable HSTS header once, > that site has to be (valid) HTTPS-only forever? > > Interesting idea. FWIW,

Re: [websec] Regarding RFC 6797

2018-05-08 Thread Eric Mill
On Tue, May 8, 2018 at 3:47 AM, Anne van Kesteren wrote: > On Mon, May 7, 2018 at 9:54 PM, Yoav Nir wrote: > > Immutable meaning that the HSTS header is permanent and can never be > > removed? So if a user agent has seen an immutable HSTS header once, that > > site has to be (valid) HTTPS-only

Re: [websec] Regarding RFC 6797

2018-05-08 Thread Anne van Kesteren
On Mon, May 7, 2018 at 9:54 PM, Yoav Nir wrote: > Immutable meaning that the HSTS header is permanent and can never be > removed? So if a user agent has seen an immutable HSTS header once, that > site has to be (valid) HTTPS-only forever? > > Interesting idea. FWIW, if anything, it should be abo

Re: [websec] Regarding RFC 6797

2018-05-07 Thread Yoav Nir
> On 4 May 2018, at 23:11, Robert Linder wrote: > > Hi, > > I would like to propose the addition of the ”immutable” directive (similar to > that of RFC 8246) for the HSTS header field (RFC 6797). Immutable meaning that the HSTS header is permanent and can never be removed? So if a user age

[websec] Regarding RFC 6797

2018-05-07 Thread Robert Linder
Hi, I would like to propose the addition of the ”immutable” directive (similar to that of RFC 8246) for the HSTS header field (RFC 6797). Best Regards, Robert Linder ___ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec