Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9

[Julian Reschke <julian.reschke@gmx.de>]

On 2012-03-20 16:29, SM wrote:
> Hi Julian,
> At 02:35 19-03-2012, Julian Reschke wrote:
>> I'd like to point out that I still think my concerns over the
>> inconsistent use of quoted-string
>> (<http://www.ietf.org/mail-archive/web/websec/current/msg01044.html>)
>> are valid and not addressed; and I think they should be before you go
>> to IETF LC.
>
> Wasn't a similar issue raised in another WG recently?
> ...

Indeed; in the context of the auth parameters in the OAuth Bearer 
authentication scheme.

There's a slight difference though, the Bearer spec defined new 
parameters for an HTTP header field that already exists 
(WWW-Authenticate), while STS is a completely new header field.

In the first case, it's a bug (that got fixed), in this case it's "just" 
a bad idea. Note that HTTPbis P2 has advice with respect to this:

"Many header fields use a format including (case-insensitively) named 
parameters (for instance, Content-Type, defined in Section 6.8 of 
[Part3]). Allowing both unquoted (token) and quoted (quoted-string) 
syntax for the parameter value enables recipients to use existing parser 
components. When allowing both forms, the meaning of a parameter value 
ought to be independent of the syntax used for it (for an example, see 
the notes on parameter handling for media types in Section 2.3 of 
[Part3])." -- 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.3.1.p.8>

Best regards, Julian