Re: [websec] Strict-Transport-Security syntax redux

Julian Reschke <julian.reschke@gmx.de> Fri, 30 December 2011 08:53 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57D921F8B54 for <websec@ietfa.amsl.com>; Fri, 30 Dec 2011 00:53:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.48
X-Spam-Level:
X-Spam-Status: No, score=-103.48 tagged_above=-999 required=5 tests=[AWL=-0.881, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pwPkLs+Ha1Ic for <websec@ietfa.amsl.com>; Fri, 30 Dec 2011 00:53:35 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id BFBEB21F8B4F for <websec@ietf.org>; Fri, 30 Dec 2011 00:53:34 -0800 (PST)
Received: (qmail invoked by alias); 30 Dec 2011 08:53:33 -0000
Received: from p3EE2751C.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.117.28] by mail.gmx.net (mp032) with SMTP; 30 Dec 2011 09:53:33 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+vtXJMEGmvuZEWz8hOeLT4QG8EpLwfVwMfgeqlfe +LAEakydeskWQo
Message-ID: <4EFD7C09.9050702@gmx.de>
Date: Fri, 30 Dec 2011 09:53:29 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <4EAB66B3.4090404@KingsMountain.com> <4EABB25E.9000900@gmx.de> <4EFC5F7B.7050304@gmx.de> <CAJE5ia_HhenArVey=5-ttLqh4-vbBE01TFZKuzAmAtHQJQJ3kQ@mail.gmail.com> <4EFCD7E4.5060507@gmx.de> <CAJE5ia-w47HHhnTBAE_PMApAAdCu=6PJexaaoJO0MZ23Ae-vcw@mail.gmail.com> <4EFCDA9C.90308@gmx.de> <CAJE5ia-E1nhN1YGV6uy3uEq4oboQowDm4FboKbWV1kunHQmXPw@mail.gmail.com> <4EFCDDD5.6040005@gmx.de> <CAJE5ia8CL9ozRJgRNCdu6XwVT0paVuVUreB12f-BiMvH+wiq6A@mail.gmail.com> <4EFD73E6.1060506@gmx.de> <CAJE5ia8RBa8iCd_9TjXyzG54VASa6qqGomsO9gL-qQ2ia=BKLg@mail.gmail.com>
In-Reply-To: <CAJE5ia8RBa8iCd_9TjXyzG54VASa6qqGomsO9gL-qQ2ia=BKLg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2011 08:53:35 -0000

On 2011-12-30 09:46, Adam Barth wrote:
> On Fri, Dec 30, 2011 at 12:18 AM, Julian Reschke<julian.reschke@gmx.de>  wrote:
>> On 2011-12-29 22:45, Adam Barth wrote:
>>> Chrome does not (and will not) implement quoted-string for the STS
>>> header for the reasons I've explained previously.  You're welcome to
>>> file bugs, but I'm just going to close them WONTFIX.
>>
>> So your code intentionally is non-compliant with STS.
>>
>> I note that you are both a WG member and also listed as one of the authors
>> of the spec. Don't you think that this puts you into a strange position?
>
> Not really.  IMHO, we should just change the spec.

If you believe that support for quoted-string in extension directives is 
the wrong thing to do, please go ahead and lobby for a change.

I happen to agree that parsing should be consistent for all directives, 
but my preference is to keep quoted-string, both for what you gain (the 
ability to express certain values that otherwise you can't without 
introducing yet another new way to encode them), and consistency with 
other header fields.

Best regards, Julian