Re: [websec] Strict-Transport-Security syntax redux

Adam Barth <ietf@adambarth.com> Fri, 30 December 2011 18:38 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 633EB21F8770 for <websec@ietfa.amsl.com>; Fri, 30 Dec 2011 10:38:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jeQMRNAx6FI8 for <websec@ietfa.amsl.com>; Fri, 30 Dec 2011 10:38:11 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id CEBC721F86DD for <websec@ietf.org>; Fri, 30 Dec 2011 10:38:11 -0800 (PST)
Received: by iabz21 with SMTP id z21so3956245iab.31 for <websec@ietf.org>; Fri, 30 Dec 2011 10:38:11 -0800 (PST)
Received: by 10.42.163.200 with SMTP id d8mr42546571icy.41.1325270291489; Fri, 30 Dec 2011 10:38:11 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id d19sm130213958ibh.8.2011.12.30.10.38.08 (version=SSLv3 cipher=OTHER); Fri, 30 Dec 2011 10:38:08 -0800 (PST)
Received: by iabz21 with SMTP id z21so3956138iab.31 for <websec@ietf.org>; Fri, 30 Dec 2011 10:38:08 -0800 (PST)
Received: by 10.42.151.195 with SMTP id f3mr42201504icw.19.1325270288108; Fri, 30 Dec 2011 10:38:08 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.62.139 with HTTP; Fri, 30 Dec 2011 10:37:37 -0800 (PST)
In-Reply-To: <4EFD8BCE.7010909@gmx.de>
References: <4EAB66B3.4090404@KingsMountain.com> <4EABB25E.9000900@gmx.de> <4EFC5F7B.7050304@gmx.de> <CAJE5ia_HhenArVey=5-ttLqh4-vbBE01TFZKuzAmAtHQJQJ3kQ@mail.gmail.com> <4EFCD7E4.5060507@gmx.de> <CAJE5ia-w47HHhnTBAE_PMApAAdCu=6PJexaaoJO0MZ23Ae-vcw@mail.gmail.com> <4EFCDA9C.90308@gmx.de> <CAJE5ia-E1nhN1YGV6uy3uEq4oboQowDm4FboKbWV1kunHQmXPw@mail.gmail.com> <4EFCDDD5.6040005@gmx.de> <CAJE5ia8CL9ozRJgRNCdu6XwVT0paVuVUreB12f-BiMvH+wiq6A@mail.gmail.com> <4EFD73E6.1060506@gmx.de> <CAJE5ia8RBa8iCd_9TjXyzG54VASa6qqGomsO9gL-qQ2ia=BKLg@mail.gmail.com> <4EFD7C09.9050702@gmx.de> <CAJE5ia8aN_MKUX_7ehp6siw=CY7nC4aSRPoPcsaDX8+emwaFVw@mail.gmail.com> <4EFD8BCE.7010909@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 30 Dec 2011 10:37:37 -0800
Message-ID: <CAJE5ia9cziSx-xb6nCEFXJkbu2Ls_ZQmYHpfrC7UK3ig3ZmM2g@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2011 18:38:12 -0000

It seems we're not in agreement.  We can repeat the same arguments
over and over again, but it's not clear that would be productive.

Adam


On Fri, Dec 30, 2011 at 2:00 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 2011-12-30 10:13, Adam Barth wrote:
>>
>> Using quoted-string in the extension directive is the wrong thing to
>> do.  Because none of the actual directives use quoted-string, folks
>> are likely to write parsers that don't handle all the complexities of
>> quoted-string (which are legion).  That means when we go to actually
>> use quoted-string in a future directive, it won't actually work in
>> many user agents.
>
>
> Unless we clarify the syntax, allow q-s everywhere, and have test cases.
>
>
>> On the other hand, if we spec the extension directives without
>> quoted-string, future extensions will work even if folks mistakenly
>> implement quote-string (because DQUOTE is forbidden in the extension
>> syntax I suggested above, so we'll never trigger the mistaken
>> quoted-string parsing code).  Everyone lives a happy life.
>
>
> Absolutely not.
>
> First of all, some implementations will parse q-s, because that's consistent
> with other header fields. Also, not having q-s makes certain values
> impossible to send, in which case you'll need to invent yet another escaping
> syntax.
>
>
>> Anyway, it's all somewhat of a moot point because the above will
>> happen regardless of what we write in the spec.  Even if we write
>> quoted-string, when folks attempt to use these extension directives in
>> the future, they'll find that they don't work and they'll update the
>> syntax not to use quoted-string.
>
>
> Why would they find that? Implementations can be fixed.
>
> Or is this argument based on the fact that you *currently* "own" one
> implementation and claim it can't be fixed? That would be a very strange
> thing to do in the context of an IETF WG trying to reach consensus.
>
> Best regards, Julian
>
> PS: I note that we are in violent agreement that the syntax should be the
> same for all directives, predefined or extension. We just come to different
> conclusions about what that syntax should be.