Last Call Review of draft-ietf-websec-strict-transport-sec-

Request Review of draft-ietf-websec-strict-transport-sec
Requested rev. no specific revision (document currently at 14)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2012-07-25
Requested 2012-07-12
Authors Jeff Hodges, Collin Jackson, Adam Barth
Draft last updated 2012-08-10
Completed reviews Genart Last Call review of -?? by Ben Campbell
Genart Telechat review of -13 by Ben Campbell (diff)
Assignment Reviewer Ben Campbell 
State Completed
Review review-ietf-websec-strict-transport-sec-genart-lc-campbell-2012-08-10
Review result Ready
Review completed: 2012-08-10


I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

<> .

Please resolve these comments along with any other Last Call comments
you may receive.

Document:  draft-ietf-websec-strict-transport-sec-11
Reviewer: Ben Campbell
Review Date: 2012-07-24
IETF LC End Date: 2012-07-25

Summary: This draft is almost ready for publication as a proposed standard, but there are a few issues that should be considered first.

*** Major issues:


*** Minor issues:

-- Does this draft update any other RFCs (e.g. 2616 or 2818)? If so, that should be explicitly flagged and mentioned in the abstract.

-- I did not find any guidance on how to handle UAs that do not understand this extension. I don't know if this needs to be normative, but the draft should at least mention the possibility and implications.

-- How should a UA handle potential conflicts between a the policy record that includes the includeSubdomain, and any records for subdomains that might have different parameters?

-- section 6.1:

The draft mentions that directives may be extended, but defers creation of an IANA registry to the time of first extension. IANA registries are not expensive; I suggest it be created now. If there's a good reason not to, then the draft should still address the specification policy for extensions.

Also, do you expect that some future directive might need to have a "required-to-understand" status? Given that this is a security-affecting extension, it seems likely. If so, then the mechanism for expressing that needs to be defined in this draft.

-- section 7.2:

Am I correct to assume that the server must never just serve the content over a non-secure connection? If so, it would be helpful to mention that, maybe even normatively.

-- section 8.4:

Does this imply a duty for compliant UAs to check for revocation one way or another?

*** Nits/editorial comments:

-- idnits reports an uncited reference:

  == Unused Reference: 'RFC6376' is defined on line 1709, but no explicit
     reference was found in the text

-- section 1.2:

The description of indented notes is almost precisely the opposite of how they are described in the RFC editor's style guide. It describes them as "parenthetical" notes, which is how experienced RFC readers are likely to perceive them. While it doesn't say so explicitly, I think putting normative text in parenthetical notes should be avoided. If these are intended to be taken more strongly than that (and by the description, I take it they should be taken more strongly than the surrounding text), then I suggest choosing a stronger prefix than "NOTE:"

-- section 7:

Does the reference to I-D.ietf-tls-ssl-version3 indicate a requirement for SSL3? Also, that's a long expired draft, even for an informational reference.

-- section 8.2, paragraph 5 (first non-numbered paragraph after numbered list)

To be pedantic, this could be taken to mean a congruent match only applies if the includeSubdomains flag is not present. I assume it's intended to apply whether or not the flag is present.

-- section 12 and subsections:

I was surprised to see more apparently normative material after the non-normative guidance sections. I think it would improve the organization to put this closer to the normative rules for UAs.

-- section 14.1, 4th paragraph (first non-bulleted paragraph following bullet list)

This issue is only true for proxies that act as a TLS MiTM, right? Would proxies that tunnel TLS via the CONNECT method have this issue?

Gen-art mailing list
Gen-art at