[whatwg] fyi: Strict Transport Security specification
Jeff.Hodges at KingsMountain.com
Sat Sep 19 16:59:38 PDT 2009
Of possible interest to public-html@ & whatwg@ denizens...
[apologies for duplication]
------- Forwarded Message
Date: Fri, 18 Sep 2009 18:00:50 -0700
From: =JeffH <Jeff.Hodges at KingsMountain.com>
To: public-webapps at w3.org
cc: Jeff Hodges <jeff.hodges at paypal.com>,
Adam Barth <abarth at eecs.berkeley.edu>,
Collin Jackson <collin.jackson at sv.cmu.edu>
Subject: fyi: Strict Transport Security specification
We wish to bring the following draft specification to your attention..
Strict Transport Security (STS)
It specifies a refined approach to that described by Jackson and Barth in..
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks
An experimental implementation of STS will be appearing in the Google Chrome
dev channel in the not-too-distant future..
Google Chrome 220.127.116.11 (dev channel)
Sid Stamm (of Mozilla) has a Firefox extension presently implementing
an earlier revision of this specification (a soon-to-appear v2.0 of
the extension will implement the present spec version)..
Sid also discusses this approach in this blog post..
Locking up the valuables: Opt-in security with ForceTLS
We are interested in bringing this work to W3C WebApps Working Group as a
Recommendation-track specification. We are willing to license it under W3C
terms, we understand that it may change due to implementer or public feedback,
and that should it be of interest to other implementors, we're willing to
contribute to editorial and test suite efforts.
We're looking forward to the WebApps WG's feedback and comments.
PayPal InfoSec Team
Carnegie Mellon University
University of California Berkeley
------- End of Forwarded Message
More information about the whatwg