Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-07

"Murray S. Kucherawy" <msk@cloudmark.com> Fri, 04 May 2012 04:12 UTC

Return-Path: <msk@cloudmark.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D344B11E8073 for <websec@ietfa.amsl.com>; Thu, 3 May 2012 21:12:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.625
X-Spam-Level:
X-Spam-Status: No, score=-102.625 tagged_above=-999 required=5 tests=[AWL=-0.026, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEd2CMI+O4hs for <websec@ietfa.amsl.com>; Thu, 3 May 2012 21:12:41 -0700 (PDT)
Received: from mail.cloudmark.com (cmgw1.cloudmark.com [208.83.136.25]) by ietfa.amsl.com (Postfix) with ESMTP id 54D6011E8088 for <websec@ietf.org>; Thu, 3 May 2012 21:12:40 -0700 (PDT)
Received: from ht1-outbound.cloudmark.com ([72.5.239.25]) by mail.cloudmark.com with bizsmtp id 5gCf1j0010ZaKgw01gCfmz; Thu, 03 May 2012 21:12:39 -0700
X-CMAE-Match: 0
X-CMAE-Score: 0.00
X-CMAE-Analysis: v=2.0 cv=bcDpoZzB c=1 sm=1 a=LdFkGDrDWH2mcjCZERnC4w==:17 a=ldJM1g7oyCcA:10 a=IwnkqaXHG70A:10 a=zutiEJmiVI4A:10 a=kj9zAlcOel0A:10 a=xqWC_Br6kY4A:10 a=48vgC7mUAAAA:8 a=iv4-XWu8dhfzlnTx-awA:9 a=CjuIK1q_8ugA:10 a=lZB815dzVvQA:10 a=LdFkGDrDWH2mcjCZERnC4w==:117
Received: from EXCH-MBX901.corp.cloudmark.com ([fe80::addf:849a:f71c:4a82]) by exch-htcas901.corp.cloudmark.com ([fe80::2524:76b6:a865:539c%10]) with mapi id 14.01.0355.002; Thu, 3 May 2012 21:12:39 -0700
From: "Murray S. Kucherawy" <msk@cloudmark.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: [websec] new rev: draft-ietf-websec-strict-transport-sec-07
Thread-Index: AQHNKKOVIK8xOP6K90aK+FVnv+njq5a4/8Ww
Date: Fri, 4 May 2012 04:12:38 +0000
Message-ID: <9452079D1A51524AA5749AD23E00392810C59D@exch-mbx901.corp.cloudmark.com>
References: <4FA19B4F.9060606@KingsMountain.com>
In-Reply-To: <4FA19B4F.9060606@KingsMountain.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [67.160.203.60]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudmark.com; s=default; t=1336104759; bh=0P0QJ0Vm/u69edqFUW6pziDd2L2DNFfTj4nXPA6yIWs=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=p691ti2YguBV7sdfwXGmff5I1G/TPqVuUR3HCV0qenwigktHCCe+IRk2yQCjlv5tv l1sMVaiBN0ESGQeb+BWzag6uw4Zyl3az6fvpcDDpdKshPQvdIb1+/L7KXJXquqHNr1 4w33h9YcoJ+3Ht+9Wy6KsK6C7zvlk773zZTSFfMo=
Subject: Re: [websec] new rev: draft-ietf-websec-strict-transport-sec-07
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 04:12:41 -0000

> -----Original Message-----
> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of =JeffH
> Sent: Wednesday, May 02, 2012 1:39 PM
> To: IETF WebSec WG
> Subject: [websec] new rev: draft-ietf-websec-strict-transport-sec-07
> 
> New rev:
> https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-07

The ABNF is better but still doesn't allow for whitespace.  In particular, your example:

	Strict-Transport-Security: max-age=15768000 ; includeSubDomains

...does not match the current ABNF:

	Strict-Transport-Security = "Strict-Transport-Security" ":"
	                            [ directive ] *( ";" [ directive ] )

	directive = token [ "=" ( token | quoted-string ) ]	

	where:

	token = <token, defined in [RFC2616], Section 2.2>
	quoted-string = <quoted-string, defined in [RFC2616], Section 2.2>

In RFC2616, "token" is defined as:

       token          = 1*<any CHAR except CTLs or separators>
       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

So all the spaces after the colon are not currently valid.  I didn't know if you wanted to take the spaces out or allow them (probably the latter), so perhaps this is what you're after:

	directive = *( SP | HT ) token *( SP | HT ) [ "=" ( token | *( SP | HT ) quoted-string ) ]	

-MSK