[websec] draft-ietf-websec-strict-transport-sec issue: "directive name" and "directive value"
Barry Leiba <barryleiba@computer.org> Mon, 09 July 2012 20:29 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 7039611E81C2 for <websec@ietfa.amsl.com>;
Mon, 9 Jul 2012 13:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.113
X-Spam-Level:
X-Spam-Status: No,
score=-103.113 tagged_above=-999 required=5 tests=[AWL=-0.136, BAYES_00=-2.599,
FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8SPeoC6Dbofa for
<websec@ietfa.amsl.com>; Mon, 9 Jul 2012 13:29:42 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com
[209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id E178411E8171 for
<websec@ietf.org>; Mon, 9 Jul 2012 13:29:41 -0700 (PDT)
Received: by qadz3 with SMTP id z3so1830999qad.10 for <websec@ietf.org>;
Mon, 09 Jul 2012 13:30:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:sender:date:x-google-sender-auth:message-id:subject
:from:to:content-type; bh=fWLSwv3MTEfF8YQrbcklL86LFAlCpZTNhmZSrsHwh8k=;
b=AK7jE7eO6UxMpUZ5US87TWcslSIjNihbpEXb25i+L8GA349OVlk9wz/4hI9SvK3Oog
DtUNPTuK9PHc6P3rXN5NBb7khVqSMCUg3EUKVGJdBTUTPPa6lL2rmx9HzZTvoDxPwupP
TwyNme8cjbIJrEK6V81OAKmwcPINJFmJ3cpptCyOVncJbKMydrDz9kvDAYb0mchxdkbP
8ZVjfHi/zxKwMyQFk5WqmuQZcgzcZ3hcUAVudUIG+n3wGu/Kk5IPcSIoPcAZziUS66uq
rorEcnFzasUqD34BN6fjQ6H4uLMaqyxstJLrHU0WaOWl1gj1rHpmBaxTu5s1+/YlGd4c oLlw==
MIME-Version: 1.0
Received: by 10.229.136.142 with SMTP id r14mr22252612qct.70.1341865807276;
Mon, 09 Jul 2012 13:30:07 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.229.245.85 with HTTP; Mon, 9 Jul 2012 13:30:07 -0700 (PDT)
Date: Mon, 9 Jul 2012 16:30:07 -0400
X-Google-Sender-Auth: TgopOT1uCB8zbhxJC5rT1iq2IV0
Message-ID: <CALaySJLZBab-YZyYp_LpDuZ3MM-QxwA6XJjiw-RZejWcQH4cCA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: websec@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: [websec] draft-ietf-websec-strict-transport-sec issue: "directive
name" and "directive value"
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport
<websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>,
<mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>,
<mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 20:29:42 -0000
The following came up in my AD review of draft-ietf-websec-strict-transport-sec, and Jeff suggested that I needed to take it to the list. So here it is. The ABNF in Section 6.1 has this: directive = token [ "=" ( token | quoted-string ) ] Below that, bullet 3 says this: 3. Directive names are case-insensitive. And in Section 6.1.1: The syntax of the max-age directive's value (after quoted-string unescaping, if necessary) is defined as: Nothing defines what a directive name or a directive's value is. You and I know they're what's on the left side of the equals sign and the right side, respectively. We can't assume, though, that people will figure out that the ABNF definition above turns into "name=value", and will thus know what those terms mean, completely unambiguously, for essentially all readers. Making the grammar like this will fix it: directive = directive-name [ "=" directive-value ] directive-name = token directive-value = token | quoted-string If there's a good reason not to make the ABNF change above, I'm happy to accept some other way of defining the terms, but I think they must be defined. I think doing it with the ABNF is the easiest and smoothest way. Barry
- [websec] draft-ietf-websec-strict-transport-sec i… Barry Leiba
- Re: [websec] draft-ietf-websec-strict-transport-s… Adam Barth
- Re: [websec] draft-ietf-websec-strict-transport-s… Alexey Melnikov