Hi

This is about fetching CRLs from a domain that happens to be the same as that 
of a website. 

Obviously you can't get a CRL or an OCSP response over HTTPS. Jeff's response 
was that they should use a different domain name for the CRLs (if they want to 
deploy HSTS)

Obviously, it's too late to change AIA or CDP in existing certificates. But I 
think it goes deeper. HSTS affects what the browser is doing. Different 
resources from the same domain should all be protected by TLS. But we don't 
expect this to affect things that are outside the browser, like email or system 
updates. IMO the fetching of CRLs or OCSP responses is not part of the 
browsing, but part of the HTTPS handshake. The fact that some browsers 
implement both is besides the point. Internet Explorer uses an OS library to do 
the TLS handshake, including any checking of revocation. In fact getting the 
CRL fetch function to apply the HSTS policy would require extra effort from the 
browser implementer. 

I think we should simply say that HSTS does not apply to non-content. Fetching 
CRLs or browser software updates is not content, and HSTS should not apply to 
it.

Yoav

_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Reply via email to