Re: [websec] Strict-Transport-Security syntax redux

Julian Reschke <> Fri, 30 December 2011 10:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E37DD21F8B54 for <>; Fri, 30 Dec 2011 02:00:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.428
X-Spam-Status: No, score=-103.428 tagged_above=-999 required=5 tests=[AWL=-0.829, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LcXDMvR8sc1d for <>; Fri, 30 Dec 2011 02:00:56 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 1875521F8B4E for <>; Fri, 30 Dec 2011 02:00:55 -0800 (PST)
Received: (qmail invoked by alias); 30 Dec 2011 10:00:52 -0000
Received: from (EHLO []) [] by (mp033) with SMTP; 30 Dec 2011 11:00:52 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX197fXBIw7R7+UGtfSPnq+PiIeReAokl5+74txYwSy a8LhiViJfB3tBs
Message-ID: <>
Date: Fri, 30 Dec 2011 11:00:46 +0100
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Adam Barth <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Dec 2011 10:00:58 -0000

On 2011-12-30 10:13, Adam Barth wrote:
> Using quoted-string in the extension directive is the wrong thing to
> do.  Because none of the actual directives use quoted-string, folks
> are likely to write parsers that don't handle all the complexities of
> quoted-string (which are legion).  That means when we go to actually
> use quoted-string in a future directive, it won't actually work in
> many user agents.

Unless we clarify the syntax, allow q-s everywhere, and have test cases.

> On the other hand, if we spec the extension directives without
> quoted-string, future extensions will work even if folks mistakenly
> implement quote-string (because DQUOTE is forbidden in the extension
> syntax I suggested above, so we'll never trigger the mistaken
> quoted-string parsing code).  Everyone lives a happy life.

Absolutely not.

First of all, some implementations will parse q-s, because that's 
consistent with other header fields. Also, not having q-s makes certain 
values impossible to send, in which case you'll need to invent yet 
another escaping syntax.

> Anyway, it's all somewhat of a moot point because the above will
> happen regardless of what we write in the spec.  Even if we write
> quoted-string, when folks attempt to use these extension directives in
> the future, they'll find that they don't work and they'll update the
> syntax not to use quoted-string.

Why would they find that? Implementations can be fixed.

Or is this argument based on the fact that you *currently* "own" one 
implementation and claim it can't be fixed? That would be a very strange 
thing to do in the context of an IETF WG trying to reach consensus.

Best regards, Julian

PS: I note that we are in violent agreement that the syntax should be 
the same for all directives, predefined or extension. We just come to 
different conclusions about what that syntax should be.