Re: [websec] draft-ietf-websec-strict-transport-sec issue: "directive name" and "directive value"

Adam Barth <ietf@adambarth.com> Mon, 09 July 2012 20:50 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8F311E8210 for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 13:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cwc5TCi-8X7l for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 13:50:24 -0700 (PDT)
Received: from mail-gg0-f172.google.com (mail-gg0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9CE11E8200 for <websec@ietf.org>; Mon, 9 Jul 2012 13:50:24 -0700 (PDT)
Received: by ggnc4 with SMTP id c4so11574671ggn.31 for <websec@ietf.org>; Mon, 09 Jul 2012 13:50:49 -0700 (PDT)
Received: by 10.236.78.36 with SMTP id f24mr49631292yhe.20.1341867049669; Mon, 09 Jul 2012 13:50:49 -0700 (PDT)
Received: from mail-gh0-f172.google.com (mail-gh0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id e19sm31100145ann.10.2012.07.09.13.50.47 (version=SSLv3 cipher=OTHER); Mon, 09 Jul 2012 13:50:48 -0700 (PDT)
Received: by ghbg16 with SMTP id g16so11591760ghb.31 for <websec@ietf.org>; Mon, 09 Jul 2012 13:50:46 -0700 (PDT)
Received: by 10.60.2.3 with SMTP id 3mr23915738oeq.0.1341867046354; Mon, 09 Jul 2012 13:50:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.226.5 with HTTP; Mon, 9 Jul 2012 13:50:16 -0700 (PDT)
In-Reply-To: <CALaySJLZBab-YZyYp_LpDuZ3MM-QxwA6XJjiw-RZejWcQH4cCA@mail.gmail.com>
References: <CALaySJLZBab-YZyYp_LpDuZ3MM-QxwA6XJjiw-RZejWcQH4cCA@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 9 Jul 2012 13:50:16 -0700
Message-ID: <CAJE5ia-GbkfnFTwBzxWvXaac_aaeZoG=hj=H=ahtfnNLk0c1xw@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: websec@ietf.org
Subject: Re: [websec] draft-ietf-websec-strict-transport-sec issue: "directive name" and "directive value"
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 20:50:25 -0000

That seems fine to me.

Adam


On Mon, Jul 9, 2012 at 1:30 PM, Barry Leiba <barryleiba@computer.org> wrote:
> The following came up in my AD review of
> draft-ietf-websec-strict-transport-sec, and Jeff suggested that I
> needed to take it to the list.  So here it is.
>
> The ABNF in Section 6.1 has this:
>
>    directive = token [ "=" ( token | quoted-string ) ]
>
> Below that, bullet 3 says this:
>
>    3.  Directive names are case-insensitive.
>
> And in Section 6.1.1:
>
>    The syntax of the max-age directive's value (after quoted-string
>    unescaping, if necessary) is defined as:
>
> Nothing defines what a directive name or a directive's value is.  You
> and I know they're what's on the left side of the equals sign and the
> right side, respectively.  We can't assume, though, that people will
> figure out that the ABNF definition above turns into "name=value", and
> will thus know what those terms mean, completely unambiguously, for
> essentially all readers.
>
> Making the grammar like this will fix it:
>
>    directive = directive-name [ "=" directive-value ]
>    directive-name = token
>    directive-value = token | quoted-string
>
> If there's a good reason not to make the ABNF change above, I'm happy
> to accept some other way of defining the terms, but I think they must
> be defined.  I think doing it with the ABNF is the easiest and
> smoothest way.
>
> Barry
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec