[websec] draft-ietf-websec-strict-transport-sec issue: "directive name" and "directive value"

Barry Leiba <barryleiba@computer.org> Mon, 09 July 2012 20:29 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7039611E81C2 for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 13:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.113
X-Spam-Level:
X-Spam-Status: No, score=-103.113 tagged_above=-999 required=5 tests=[AWL=-0.136, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8SPeoC6Dbofa for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 13:29:42 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id E178411E8171 for <websec@ietf.org>; Mon, 9 Jul 2012 13:29:41 -0700 (PDT)
Received: by qadz3 with SMTP id z3so1830999qad.10 for <websec@ietf.org>; Mon, 09 Jul 2012 13:30:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=fWLSwv3MTEfF8YQrbcklL86LFAlCpZTNhmZSrsHwh8k=; b=AK7jE7eO6UxMpUZ5US87TWcslSIjNihbpEXb25i+L8GA349OVlk9wz/4hI9SvK3Oog DtUNPTuK9PHc6P3rXN5NBb7khVqSMCUg3EUKVGJdBTUTPPa6lL2rmx9HzZTvoDxPwupP TwyNme8cjbIJrEK6V81OAKmwcPINJFmJ3cpptCyOVncJbKMydrDz9kvDAYb0mchxdkbP 8ZVjfHi/zxKwMyQFk5WqmuQZcgzcZ3hcUAVudUIG+n3wGu/Kk5IPcSIoPcAZziUS66uq rorEcnFzasUqD34BN6fjQ6H4uLMaqyxstJLrHU0WaOWl1gj1rHpmBaxTu5s1+/YlGd4c oLlw==
MIME-Version: 1.0
Received: by 10.229.136.142 with SMTP id r14mr22252612qct.70.1341865807276; Mon, 09 Jul 2012 13:30:07 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.229.245.85 with HTTP; Mon, 9 Jul 2012 13:30:07 -0700 (PDT)
Date: Mon, 9 Jul 2012 16:30:07 -0400
X-Google-Sender-Auth: TgopOT1uCB8zbhxJC5rT1iq2IV0
Message-ID: <CALaySJLZBab-YZyYp_LpDuZ3MM-QxwA6XJjiw-RZejWcQH4cCA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: websec@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: [websec] draft-ietf-websec-strict-transport-sec issue: "directive name" and "directive value"
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 20:29:42 -0000

The following came up in my AD review of
draft-ietf-websec-strict-transport-sec, and Jeff suggested that I
needed to take it to the list.  So here it is.

The ABNF in Section 6.1 has this:

   directive = token [ "=" ( token | quoted-string ) ]

Below that, bullet 3 says this:

   3.  Directive names are case-insensitive.

And in Section 6.1.1:

   The syntax of the max-age directive's value (after quoted-string
   unescaping, if necessary) is defined as:

Nothing defines what a directive name or a directive's value is.  You
and I know they're what's on the left side of the equals sign and the
right side, respectively.  We can't assume, though, that people will
figure out that the ABNF definition above turns into "name=value", and
will thus know what those terms mean, completely unambiguously, for
essentially all readers.

Making the grammar like this will fix it:

   directive = directive-name [ "=" directive-value ]
   directive-name = token
   directive-value = token | quoted-string

If there's a good reason not to make the ABNF change above, I'm happy
to accept some other way of defining the terms, but I think they must
be defined.  I think doing it with the ABNF is the easiest and
smoothest way.

Barry