Ratify STS

[jwheare]

Requirements from CONTRIBUTING.md:

• At least two server (or one bouncer, in the case of specifications specifically intended for IRC bouncers) implementations. • At least one client implementation.

I think in this case we need more than 1 complete client implementation.

Do the thing

• [x] #322 Removes draft/ prefix

Blockers

• [x] #301 Drops 3.3, moves from core -> extensions, copy edits and clarity
• [x] #295 preload key

Known implementations

Unchecked means incomplete or an intent to implement has been expressed. Any others?

Server (2/2)

• [x] Inspircd: irc://testnet.inspircd.org:6667 (@attilamolnar) https://github.com/inspircd/inspircd-extras/blob/master/2.0/m_ircv3_sts.cpp
• [x] IRCCloud teams (@jwheare)
• [x] oragono (@DanielOaks) https://oragono.io/specs.html
• [x] UnrealIRCd https://forums.unrealircd.org/viewtopic.php?f=1&t=8738

Client (2/2)

• [x] IRCCloud https://blog.irccloud.com/strict-transport-security/ (@jwheare)
• [x] Palaver https://cocode.org/blog/palaver-26/ (@kylef)
• [x] TingPing/irc-client@deb27ea7c32afad5b88ac477166f65d5ded0dccc
• [ ] Colloquy http://colloquy.info/project/changeset/6723 (@zadr)

Bouncer

• [ ] znc module https://gist.github.com/kylef/ab23a540ade465bf115558227789e0c9 (@kylef)

Library

• [x] KittehOrg/KittehIRCClientLib#139 (@lol768)

Networks

• [x] Snoonet: irc://irc.snoonet.org:6667
• [ ] Mozilla: irc.mozilla.org https://bugzilla.mozilla.org/show_bug.cgi?id=1338581
• [ ] irc.irccloud.com

[jwheare]

Thoughts on moving it from core -> extensions? I think it makes sense. Very little should be considered core really (if anything).

[lol768]

Discussed core vs extension on IRC with @jwheare - would agree that if specs are considered independent it makes sense to have STS an extension as long as its use (along with other security features, except the tls cap which would ideally be deprecated IMO) is recommended in some best practice document.

---

Is there a second server implementation?

[attilamolnar]

Thoughts on moving it from core -> extensions? I think it makes sense. Very little should be considered core really (if anything).

Created #299 to discuss core vs. extension because it affects several specs not only STS.

[jwheare]

Opened #301 with some edits.

[SadieCat]

Just some nits I have noticed:

---

Keys specified in this document MUST only occur at most once.

It would simplify things by removing "specified in this document" and requiring all keys to be unique like tags.

---

Clients might consider allowing users to explicitly define an STS policy for a given host, before any interaction with the host.

Probably should be:

Clients MAY allow users to explicitly define an STS policy for a given host, before any interaction with the host.

---

[jwheare]

The concept of keys in cap values isn't standard, but only defined in certain specs for the moment.

normative: MAY, non-normative: might consider

[jwheare]

Done and live. http://ircv3.net/specs/extensions/sts.html