Re: [websec] Strict-Transport-Security syntax redux

"Roy T. Fielding" <fielding@gbiv.com> Fri, 30 December 2011 04:11 UTC

Return-Path: <fielding@gbiv.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79A7421F8467 for <websec@ietfa.amsl.com>; Thu, 29 Dec 2011 20:11:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gWpDpJ7kp0zG for <websec@ietfa.amsl.com>; Thu, 29 Dec 2011 20:11:29 -0800 (PST)
Received: from homiemail-a32.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id CAC0D21F8466 for <websec@ietf.org>; Thu, 29 Dec 2011 20:11:29 -0800 (PST)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id 744D6584058; Thu, 29 Dec 2011 20:11:29 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gbiv.com; h=subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to; q=dns; s=gbiv.com; b=KPIiZXJ5iKk/iCqQ 8M8IA6krEQNL1G3HlD0Z8z4mOseqb7MhHTyXwZbs8yH5xwbrmK7P7jNhjX0KtOHr 5xe3i6IM5fvlmsexHoj/xBpWr49xVgE0W0+yVkzJqi2MtwMH+mZZ1i70IAWiaLNs t3vuGgyaFoI0NM+UNXZQ0D++wo4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=GUUJgvDDBuGpLPAkYWUSPkIZ/9I=; b=6GlNx1c1Pm3Y/UuUsl81G8nWuOYf EDreHbFZAVuyRCR6RA2AvFKKkJc051fbtvJ8uaiCFsFo9HpH4BBhru4zTPKEWiaW /gSaVGJ2TJqBwUoEpGgvLCNqGUQzY8Oss3tNhiprAMHS0/0NRyJ77zZZDIATzdgK YgitlsdPiZT8ZuQ=
Received: from [10.134.89.89] (unknown [75.103.10.98]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPSA id 4B599584057; Thu, 29 Dec 2011 20:11:29 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=us-ascii
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <CAJE5ia8L4UV-06JXVXZ1KuHd9hg=0KoaqxSX3W7RSwoCE8tQTA@mail.gmail.com>
Date: Thu, 29 Dec 2011 20:11:27 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <168B10CA-0522-4A60-BAC8-597472B79882@gbiv.com>
References: <4EFD0D7D.7040908@KingsMountain.com> <CAJE5ia8L4UV-06JXVXZ1KuHd9hg=0KoaqxSX3W7RSwoCE8tQTA@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2011 04:11:30 -0000

On Dec 29, 2011, at 5:22 PM, Adam Barth wrote:

> On Thu, Dec 29, 2011 at 5:01 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
>> Adam Barth noted:
>>> I would also define the precise requirements for parsing all possible
>>> input sequences, but I understand that's not fashionable.
>> 
>> By that, you are suggesting specification of parsing algorithms as done in
>> RFC6265 "HTTP State Management Mechanism", yes?
> 
> I actually think what we're doing for CSP is slightly better:
> 
> http://www.w3.org/TR/CSP/#policies

Hmm, that algorithm breaks on 

   foo;;bob

which is allowed by the associated ABNF.  *shrug*

I don't think I'll ever understand why you keep promoting Ian's
mantra on specs being written as algorithms.  The algorithms that
you end up placing in the specs have more bugs than the code
found in the actual implementations, and they aren't any more
formal than the ABNF.

....Roy