Re: [websec] Strict-Transport-Security syntax redux

Julian Reschke <julian.reschke@gmx.de> Thu, 29 December 2011 21:38 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5A1221F8BB0 for <websec@ietfa.amsl.com>; Thu, 29 Dec 2011 13:38:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.799
X-Spam-Level:
X-Spam-Status: No, score=-103.799 tagged_above=-999 required=5 tests=[AWL=-1.200, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0fJviykxy3SG for <websec@ietfa.amsl.com>; Thu, 29 Dec 2011 13:38:35 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id E43D121F8BA7 for <websec@ietf.org>; Thu, 29 Dec 2011 13:38:34 -0800 (PST)
Received: (qmail invoked by alias); 29 Dec 2011 21:38:33 -0000
Received: from p3EE2751C.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.117.28] by mail.gmx.net (mp021) with SMTP; 29 Dec 2011 22:38:33 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+tZYFBTF6tBWu7bDyt7QwhZdYF7Sr+F+JiOaPP9t gFIjXA4uRnGASF
Message-ID: <4EFCDDD5.6040005@gmx.de>
Date: Thu, 29 Dec 2011 22:38:29 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <4EAB66B3.4090404@KingsMountain.com> <4EABB25E.9000900@gmx.de> <4EFC5F7B.7050304@gmx.de> <CAJE5ia_HhenArVey=5-ttLqh4-vbBE01TFZKuzAmAtHQJQJ3kQ@mail.gmail.com> <4EFCD7E4.5060507@gmx.de> <CAJE5ia-w47HHhnTBAE_PMApAAdCu=6PJexaaoJO0MZ23Ae-vcw@mail.gmail.com> <4EFCDA9C.90308@gmx.de> <CAJE5ia-E1nhN1YGV6uy3uEq4oboQowDm4FboKbWV1kunHQmXPw@mail.gmail.com>
In-Reply-To: <CAJE5ia-E1nhN1YGV6uy3uEq4oboQowDm4FboKbWV1kunHQmXPw@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2011 21:38:36 -0000

On 2011-12-29 22:32, Adam Barth wrote:
> On Thu, Dec 29, 2011 at 1:24 PM, Julian Reschke<julian.reschke@gmx.de>  wrote:
>> On 2011-12-29 22:18, Adam Barth wrote:
>>> On Thu, Dec 29, 2011 at 1:13 PM, Julian Reschke<julian.reschke@gmx.de>
>>>   wrote:
>>>> On 2011-12-29 20:50, Adam Barth wrote:
>>>>> As I wrote before, I don't think we should include quoted-string in
>>>>> the grammar.  As far as I know, no one has implemented it and I have
>>>>> no plans to implement quoted-string in Chrome.  Having quoted-string
>>>>> in the grammar only leads to pain.,
>>>>
>>>> It would be helpful if you were more precise on the pain it causes,
>>>> considering you need to process extension directives anyway...
>>>
>>> We've been over this several times before.  The problem is the
>>> requirement to balance DQUOTE and the complexities surrounding the
>>> error conditions if the DQUOTEs don't balance properly (including
>>> escaping).
>>
>> Yes, but you are avoiding the question I asked. Are you implementing
>> quoted-string for extension parameters?
>
> No.
>
> Here's the grammar I recommend:
>
>     Strict-Transport-Security = "Strict-Transport-Security" ":"
>                                     directive *( ";" [ directive ] )
>
>     directive         = max-age | includeSubDomains | STS-d-ext
>     max-age           = "max-age" "=" delta-seconds
>     includeSubDomains = "includeSubDomains"
>     STS-d-ext     = token [ "=" token ]
>
> I would also define the precise requirements for parsing all possible
> input sequences, but I understand that's not fashionable.

Ack. This is at least consistent.

That being said, I disagree. token=quoted-string is widely implemented, 
and if there are clients not getting it right we should fix them.

If you are aware of specific clients having this problem please list 
them so we can open bug reports.

Best regards, Julian