Re: [websec] draft-ietf-websec-strict-transport-sec issue: "directive, name" and "directive value"

=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 09 July 2012 22:41 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F13A21F85C2 for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 15:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.527
X-Spam-Level:
X-Spam-Status: No, score=-100.527 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Czrn5O7qwILZ for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 15:41:46 -0700 (PDT)
Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by ietfa.amsl.com (Postfix) with SMTP id 7EC1D21F85C0 for <websec@ietf.org>; Mon, 9 Jul 2012 15:41:46 -0700 (PDT)
Received: (qmail 5589 invoked by uid 0); 9 Jul 2012 22:42:12 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com with SMTP; 9 Jul 2012 22:42:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=Mrmt6LQ0QOwn4sE2qBShLCY9CaZEAcF7X9r3TEEtnRk=; b=xEsPOMXwzSGDvaP0WdPXAF67yAFC2AsuUzo8Q0zU2FWYoFuTAZ8lcdnd3sKq0nFZjFRNCdMweBY7tiyjaN2pxReQhuBNDscIGhwoy7UVECZsMvZkAf60JfLJsRRZRkV3;
Received: from [216.113.168.128] (port=1249 helo=[10.244.137.220]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1SoMeh-0005K2-VY; Mon, 09 Jul 2012 16:42:12 -0600
Message-ID: <4FFB5E45.70801@KingsMountain.com>
Date: Mon, 09 Jul 2012 15:42:13 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>, Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-strict-transport-sec issue: "directive, name" and "directive value"
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 22:41:48 -0000

 > The following came up in my AD review of
 > draft-ietf-websec-strict-transport-sec, and Jeff suggested that I
 > needed to take it to the list.  So here it is.
 >
 > The ABNF in Section 6.1 has this:
 >
 >    directive = token [ "=" ( token | quoted-string ) ]
 >
 > Below that, bullet 3 says this:
 >
 >    3.  Directive names are case-insensitive.
 >
 > And in Section 6.1.1:
 >
 >    The syntax of the max-age directive's value (after quoted-string
 >    unescaping, if necessary) is defined as:
 >
 > Nothing defines what a directive name or a directive's value is.  You
 > and I know they're what's on the left side of the equals sign and the
 > right side, respectively.  We can't assume, though, that people will
 > figure out that the ABNF definition above turns into "name=value", and
 > will thus know what those terms mean, completely unambiguously, for
 > essentially all readers.

fyi/fwiw, the manner in which the ABNF is crafted was finalized in the thread, 
with Julian Reschke, rooted here..

Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04
https://www.ietf.org/mail-archive/web/websec/current/msg01114.html


 > Nothing defines what a directive name or a directive's value is.  You
 > and I know they're what's on the left side of the equals sign and the
 > right side, respectively.  We can't assume, though, that people will
 > figure out that the ABNF definition above turns into "name=value", and
 > will thus know what those terms mean, completely unambiguously, for
 > essentially all readers.
 >
 > Making the grammar like this will fix it:
 >
 >    directive = directive-name [ "=" directive-value ]
 >    directive-name = token
 >    directive-value = token | quoted-string
 >
 > If there's a good reason not to make the ABNF change above, I'm happy
 > to accept some other way of defining the terms, but I think they must
 > be defined.  I think doing it with the ABNF is the easiest and
 > smoothest way.

I can see doing it as above, or even as a comment..

     directive = token [ "=" ( token | quoted-string ) ]
               ; directive-name = directive-value

Julian apparently has some reasoning for trying not to put everything into the 
ABNF (see the thread pointed to above).  So I think it'd good if he weighed in 
on this.

I do note that the ABNF in draft-ietf-httpbis-p2-semantics-19 for the "expect" 
header field which Julian points at does explicitly define ABNF for expect-name 
and expect-value, similarly to Barry's suggestion above.

thanks,

=JeffH