[websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 09 March 2012 16:02 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DA321F8710 for <websec@ietfa.amsl.com>; Fri, 9 Mar 2012 08:02:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.118
X-Spam-Level:
X-Spam-Status: No, score=-100.118 tagged_above=-999 required=5 tests=[AWL=0.377, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GbSFCCy5fHp for <websec@ietfa.amsl.com>; Fri, 9 Mar 2012 08:02:38 -0800 (PST)
Received: from oproxy8-pub.bluehost.com (oproxy8.bluehost.com [IPv6:2605:dc00:100:2::a8]) by ietfa.amsl.com (Postfix) with SMTP id 5028A21F870F for <websec@ietf.org>; Fri, 9 Mar 2012 08:02:38 -0800 (PST)
Received: (qmail 865 invoked by uid 0); 9 Mar 2012 16:02:38 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy8.bluehost.com with SMTP; 9 Mar 2012 16:02:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=eFyqJ2fISRu/HRFAcJkqTxmbYEecKWkDwhH3fARFnqE=; b=CQuYct6VxRm99HgN2y3jKgd4sxrYSPk76XZrpKPGX485jKux7PzeRddnDWbN53pSyYGxvdF6RpeLXmTdwoeofkSxPTLn4BC4KnjAuA7kTnlur0jYOjU4db1Lpasbh7or;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.56]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1S62H6-0006c6-LJ; Fri, 09 Mar 2012 09:02:36 -0700
Message-ID: <4F5A299D.2040206@KingsMountain.com>
Date: Fri, 09 Mar 2012 08:02:37 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Mar 2012 16:02:39 -0000
> On 2012-03-09 00:41, =JeffH wrote: >> Thanks for the review Julian, >> >> > The ABNF now is: >> > >> > Strict-Transport-Security = "Strict-Transport-Security" ":" >> > directive *( ";" [ directive ] ) >> > >> > >> > directive = token [ "=" ( token | quoted-string ) ] >> > >> > ...and I think this is almost right. >> > >> > It does allow empty directives (thus repeated or trailing semicolons), >> > but not leading semicolons. >> > >> > So >> > >> > STS: foo ; >> > >> > parses, but >> > >> > STS: ; foo >> > >> > does not. >> >> well, I guess a question is whether we want "STS: ; foo " to "parse" ? >> >> I'm not sure we do, but can be convinced otherwise. > > Well, either be permissive with respect to superfluous delimiters or > don't; but allowing them in once place but not the other? yeah, seems fine, I'll make that change. the language describing the specifics of the presently defined directives addresses their cardinality and required/optional presence. >> > For 6.1.1 and 6.1.2, we still need to decide whether a) quoted-string >> > should be legal here (I understand that's >> > <http://trac.tools.ietf.org/wg/websec/trac/ticket/33>) >> >> sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and >> includeSubDomains directives, and neither of those directives employ >> quoted-string, and I don't think they need to or should. > > I think they should, because it's likely that people will write parses > that allow both, thus you'll have an automated (and totally unneeded) > interoperatility problem. Well, i'm not terribly convinced about this, especially given my code reconnaissance in Firefox and Chrome. The spec clearly states what the syntax is for those directives and it doesn't encompass quoted-string variants of the values for max-age and delta-seconds. I think adding something like that will needlessly complicate the spec, so I respectfully decline to make such a change. best regards, =JeffH
- [websec] STS ABNF, was: new rev: draft-ietf-webse… =JeffH
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… Julian Reschke
- [websec] STS ABNF, was: new rev: draft-ietf-webse… =JeffH
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… Julian Reschke
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… =JeffH
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… Julian Reschke
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… =JeffH
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… Julian Reschke
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… Julian Reschke
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… =JeffH
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… =JeffH
- Re: [websec] STS ABNF, was: new rev: draft-ietf-w… Julian Reschke