Re: [websec] ignoring STS header fields with undefined directives (was: new rev: draft-ietf-websec-strict-transport-sec-08)

=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 01 June 2012 18:32 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB8511E80A0 for <websec@ietfa.amsl.com>; Fri, 1 Jun 2012 11:32:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.751
X-Spam-Level:
X-Spam-Status: No, score=-99.751 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_05=-1.11, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQQ-JY7vjjG1 for <websec@ietfa.amsl.com>; Fri, 1 Jun 2012 11:32:10 -0700 (PDT)
Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by ietfa.amsl.com (Postfix) with SMTP id CB33111E8097 for <websec@ietf.org>; Fri, 1 Jun 2012 11:32:09 -0700 (PDT)
Received: (qmail 23341 invoked by uid 0); 1 Jun 2012 18:32:08 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com with SMTP; 1 Jun 2012 18:32:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=kqir87jSuYeRe1YVZzAWgzR+Hv8EI9YZaaK9MiZBrDE=; b=CWHpz8n6oFXC40RAj8cy8CEpQHviQqnhP3RdNzN+cZpGU1KWGLq7S+D1zN9lWUw0txoGXDvRGsN2551Pd72SQ7fQTn5TgsFWThYtvEQ2fYLOqD1mJu8H0gVEmYE+fMt0;
Received: from [216.113.168.128] (port=59136 helo=[10.244.136.116]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1SaWdr-0000bB-14; Fri, 01 Jun 2012 12:32:07 -0600
Message-ID: <4FC90AA5.8090502@KingsMountain.com>
Date: Fri, 01 Jun 2012 11:32:05 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] ignoring STS header fields with undefined directives (was: new rev: draft-ietf-websec-strict-transport-sec-08)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2012 18:32:10 -0000

 > Most of my issues were addressed in the latest version, except for this one:
 >
 >  > 6.1.  Strict-Transport-Security HTTP Response Header Field
 >  >
 >  > 4.  UAs MUST ignore any STS header fields containing directives, or
 >  >      other header field value data, that does not conform to the
 >  >      syntax defined in this specification.
 >
 > So this is saying that syntactically invalid STS header fields are
 > to be ignored. This still doesn't say if unrecognized directives are to
 > be ignored or not. (Because they can comply with the generic syntax for
 > directives, so they would be syntactically valid, albeit unrecognized).
 > So can you please add an explicit sentence about that?


Here's the text in my working copy for that item..

             <t>
               UAs MUST ignore any STS header fields containing
               directives, or other header field value data, that does
               not conform to the syntax defined in this specification.
               UAs MUST also ignore any STS header fields containing
               undefined directives.
             </t>

Ok?

thanks,

=JeffH