Hi,
I apologize if this covered in the RFC and I did not see it, but I did
look for it.
While working on a script that fetches MTA-STS policies I encountered
two problems:
A) Some servers refuse connection if the client does not send a user
agent header.
B) Some servers refuse connections if you do send a user agent but the
server (correctly) identifies it as a bot rather than a browser.
RCF 8641 should be updated to REQUIRE that the policy server does NOT
reject requests without a user agent or with a user agent that the
server does not like.
Interference with automated retrieval of the policy means the policy
does not get applied.
It is not a common problem, seems to happen most often when the policy
is hosted at cloudflare yet some policies hosted at cloudflare seem to
not have this issue.
I'm not going to tell my script to lie in its user agent string, even
though that works. Dishonest identity of software should not be required
to implement a security policy.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
