Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9

Julian Reschke <julian.reschke@gmx.de> Tue, 20 March 2012 16:01 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BAA021F85A1 for <websec@ietfa.amsl.com>; Tue, 20 Mar 2012 09:01:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.402
X-Spam-Level:
X-Spam-Status: No, score=-104.402 tagged_above=-999 required=5 tests=[AWL=-1.803, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lad2ptmOIE82 for <websec@ietfa.amsl.com>; Tue, 20 Mar 2012 09:01:13 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 336AC21F861C for <websec@ietf.org>; Tue, 20 Mar 2012 09:01:13 -0700 (PDT)
Received: (qmail invoked by alias); 20 Mar 2012 16:01:12 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp034) with SMTP; 20 Mar 2012 17:01:12 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19b87E/RxJbj9aNE2I3r0Xo6n9kuyI3J88Qm8eIKQ 3EUFsEOsBGDqk9
Message-ID: <4F68A9C7.1060309@gmx.de>
Date: Tue, 20 Mar 2012 17:01:11 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: SM <sm@resistor.net>
References: <4F66623F.9000300@gondrom.org> <4F66FDF1.9090306@gmx.de> <6.2.5.6.2.20120320082723.09b07fa8@resistor.net>
In-Reply-To: <6.2.5.6.2.20120320082723.09b07fa8@resistor.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: websec@ietf.org
Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2012 16:01:14 -0000

On 2012-03-20 16:29, SM wrote:
> Hi Julian,
> At 02:35 19-03-2012, Julian Reschke wrote:
>> I'd like to point out that I still think my concerns over the
>> inconsistent use of quoted-string
>> (<http://www.ietf.org/mail-archive/web/websec/current/msg01044.html>)
>> are valid and not addressed; and I think they should be before you go
>> to IETF LC.
>
> Wasn't a similar issue raised in another WG recently?
> ...

Indeed; in the context of the auth parameters in the OAuth Bearer 
authentication scheme.

There's a slight difference though, the Bearer spec defined new 
parameters for an HTTP header field that already exists 
(WWW-Authenticate), while STS is a completely new header field.

In the first case, it's a bug (that got fixed), in this case it's "just" 
a bad idea. Note that HTTPbis P2 has advice with respect to this:

"Many header fields use a format including (case-insensitively) named 
parameters (for instance, Content-Type, defined in Section 6.8 of 
[Part3]). Allowing both unquoted (token) and quoted (quoted-string) 
syntax for the parameter value enables recipients to use existing parser 
components. When allowing both forms, the meaning of a parameter value 
ought to be independent of the syntax used for it (for an example, see 
the notes on parameter handling for media types in Section 2.3 of 
[Part3])." -- 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.3.1.p.8>

Best regards, Julian