Re: [websec] draft-ietf-websec-strict-transport-sec issue: "directive, name" and "directive value"
Julian Reschke <julian.reschke@gmx.de> Tue, 10 July 2012 06:52 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B2F11E8160 for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 23:52:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.901
X-Spam-Level:
X-Spam-Status: No, score=-104.901 tagged_above=-999 required=5 tests=[AWL=-2.302, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1chZm8F-Nwb for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 23:52:44 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 3FDE821F8565 for <websec@ietf.org>; Mon, 9 Jul 2012 23:52:43 -0700 (PDT)
Received: (qmail invoked by alias); 10 Jul 2012 06:53:09 -0000
Received: from p54BB3690.dip.t-dialin.net (EHLO [192.168.178.36]) [84.187.54.144] by mail.gmx.net (mp039) with SMTP; 10 Jul 2012 08:53:09 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19KcO9L+JRK2K1s6NUAocEe0GoS22VdgH7oD+/rJt orXHdCoo9AU4Pi
Message-ID: <4FFBD151.2070109@gmx.de>
Date: Tue, 10 Jul 2012 08:53:05 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4FFB5E45.70801@KingsMountain.com>
In-Reply-To: <4FFB5E45.70801@KingsMountain.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Barry Leiba <barryleiba@computer.org>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-strict-transport-sec issue: "directive, name" and "directive value"
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 06:52:45 -0000
On 2012-07-10 00:42, =JeffH wrote: > > The following came up in my AD review of > > draft-ietf-websec-strict-transport-sec, and Jeff suggested that I > > needed to take it to the list. So here it is. > > > > The ABNF in Section 6.1 has this: > > > > directive = token [ "=" ( token | quoted-string ) ] > > > > Below that, bullet 3 says this: > > > > 3. Directive names are case-insensitive. > > > > And in Section 6.1.1: > > > > The syntax of the max-age directive's value (after quoted-string > > unescaping, if necessary) is defined as: > > > > Nothing defines what a directive name or a directive's value is. You > > and I know they're what's on the left side of the equals sign and the > > right side, respectively. We can't assume, though, that people will > > figure out that the ABNF definition above turns into "name=value", and > > will thus know what those terms mean, completely unambiguously, for > > essentially all readers. > > fyi/fwiw, the manner in which the ABNF is crafted was finalized in the > thread, with Julian Reschke, rooted here.. > > Re: [websec] STS ABNF, was: new rev: > draft-ietf-websec-strict-transport-sec-04 > https://www.ietf.org/mail-archive/web/websec/current/msg01114.html > > > > Nothing defines what a directive name or a directive's value is. You > > and I know they're what's on the left side of the equals sign and the > > right side, respectively. We can't assume, though, that people will > > figure out that the ABNF definition above turns into "name=value", and > > will thus know what those terms mean, completely unambiguously, for > > essentially all readers. > > > > Making the grammar like this will fix it: > > > > directive = directive-name [ "=" directive-value ] > > directive-name = token > > directive-value = token | quoted-string > > > > If there's a good reason not to make the ABNF change above, I'm happy > > to accept some other way of defining the terms, but I think they must > > be defined. I think doing it with the ABNF is the easiest and > > smoothest way. > > I can see doing it as above, or even as a comment.. > > directive = token [ "=" ( token | quoted-string ) ] > ; directive-name = directive-value > > Julian apparently has some reasoning for trying not to put everything > into the ABNF (see the thread pointed to above). So I think it'd good > if he weighed in on this. > > I do note that the ABNF in draft-ietf-httpbis-p2-semantics-19 for the > "expect" header field which Julian points at does explicitly define ABNF > for expect-name and expect-value, similarly to Barry's suggestion above. Adding ABNF productions for clarity seems fine to me. Best regards, Julian