Hi This is about fetching CRLs from a domain that happens to be the same as that of a website.
Obviously you can't get a CRL or an OCSP response over HTTPS. Jeff's response was that they should use a different domain name for the CRLs (if they want to deploy HSTS) Obviously, it's too late to change AIA or CDP in existing certificates. But I think it goes deeper. HSTS affects what the browser is doing. Different resources from the same domain should all be protected by TLS. But we don't expect this to affect things that are outside the browser, like email or system updates. IMO the fetching of CRLs or OCSP responses is not part of the browsing, but part of the HTTPS handshake. The fact that some browsers implement both is besides the point. Internet Explorer uses an OS library to do the TLS handshake, including any checking of revocation. In fact getting the CRL fetch function to apply the HSTS policy would require extra effort from the browser implementer. I think we should simply say that HSTS does not apply to non-content. Fetching CRLs or browser software updates is not content, and HSTS should not apply to it. Yoav _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
