Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Finalizing the HTTPS-Only Standard as formal policy #108

Merged
merged 15 commits into from
Jun 8, 2015
Merged

Finalizing the HTTPS-Only Standard as formal policy #108

merged 15 commits into from
Jun 8, 2015

Conversation

konklone
Copy link
Contributor

@konklone konklone commented Jun 8, 2015

The proposed HTTPS-Only Standard has now been finalized as the White House Office of Management and Budget memorandum M-15-13, "Policy to Require Secure Connections across Federal Websites and Web Services".

This pull request contains some changes between the original proposal, and the finalized version, detailed below.

Thanks to everyone who participated in the public comment period! The public comment period elicited a number of highly detailed and helpful submissions, and the resulting policy is better for this feedback.

For more details, the White House, 18F, and the CIO Council each have some accompanying blog posts about the release of the policy:

Below are some details on the changes we've made since the original proposal. I've mapped some to commits, but some are lumped in to others.

  • 725b141 - Emphasize that high-priority websites should begin the HTTPS migration process immediately, and set a specific deadline of December 31, 2016.
  • 7f0836c - Elaborate on planning for change, mention cipher/protocol choices and forward secrecy explicitly.
  • 6cb9a30 and eee26c9 - Incorporate the IETF's suggested revisions on integrity in Changes per IETF IAB comments #97, and then make further edits to relevant areas to clarify mixed content and SNI. Thanks to @josephlhall for the detailed pull request.
  • e2061fe - A number of non-substantive copy changes, and rewording to reflect the transition from proposal to policy.

Thank you again to everyone who participated!

Fixes #78, fixes #79, fixes #80, fixes #81, fixes #83, fixes #84, fixes #86, fixes #87, fixes #88, fixes #89, fixes #92, fixes #93, fixes #94, fixes #95, fixes #96, fixes #97, fixes #98, fixes #99, fixes #100, fixes #101, fixes #103, fixes #104, fixes #105, fixes #106, and fixes #107.

titanous and others added 15 commits March 17, 2015 11:25
@titanous
Remove 'perfect' from forward secrecy section
45fedec 
Calling forward secrecy 'perfect' is misleading and unnecessary. 'Key erasure' is more accurate, but 'forward secrecy' has stuck.
@josephlhall @konklone
Changes per IETF IAB comments
6cb9a30
@konklone
Tweaks to IETF submitted changes.
eee26c9 
* Incorporate integrity mention into Goal paragraph more tersely.
* Remove privacy mention from SNI paragraph, since the concern is
  described earlier in the memo ("What HTTPS Doesn't Do"), and is
  now incorporated into the SNI document this paragraph links to.
* Remove description of HTTPS config issues for third party
  content from Mixed Content paragraph. HTTPS resources from third
  parties is no longer "mixed content", and is better handled in
  the guidance. Added a link to the guidance page for Mixed
  Content.
* Edit Security Considerations paragraph on mixed content page to
  describe the issue as "third party content" (since the content
  is no longer mixed) and to emphasize that these considerations
  are not *introduced* by HTTPS, but are rather still present
  under HTTPS (though the situation is much improved).
@konklone
Emphasize that the HSTS max-age is also part of the requirement.
19c0a26
@konklone
remove public comment paragraph
983bb1d
@konklone
technical assistance paragraph was duplicated
e187758
@konklone
Merge branch 'patch-1' of https://github.com/titanous/https into changes
af9fe24
@konklone
Be more explicit about planning for change, mention FS.
7f0836c
@konklone
Be more explicit about prioritization, and compliance timeframe.
725b141 
This indicates explicitly that priority websites should begin
their migration immediately. Timeframe is adjusted from "two years"
to December 31, 2016.
@konklone
be explicit about keeping apprised of besty practices
ff63269
@konklone
be explicit about keeping apprised of best practices
fe39bc6
@konklone
Merge branch 'changes' of github.com:18F/https into changes
6890052
@konklone
more changes and language tweaks to match memo
e2061fe
@konklone
clarify a bit
fbeab38
@konklone
fix a couple typos
8f614a0
konklone added a commit that referenced this pull request Jun 8, 2015
@konklone
Merge pull request #108 from GSA/changes
855266c 
Finalizing the HTTPS-Only Standard as formal policy
@konklone konklone merged commit 855266c into master Jun 8, 2015
@konklone konklone deleted the changes branch June 8, 2015 20:10
@konklone konklone mentioned this pull request Jun 9, 2015
Closed
@konklone konklone mentioned this pull request Mar 23, 2016
Closed
@konklone konklone mentioned this pull request Dec 22, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@konklone @titanous @josephlhall