[websec] [Errata Rejected] RFC6797 (5204)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 29 October 2024 10:16 UTC

Return-Path: <wwwrun@rfcpa.rfc-editor.org>
X-Original-To: websec@ietf.org
Delivered-To: websec@ietfa.amsl.com
Received: from rfcpa.rfc-editor.org (unknown [167.172.21.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB282C151980; Tue, 29 Oct 2024 03:16:31 -0700 (PDT)
Received: by rfcpa.rfc-editor.org (Postfix, from userid 461) id 526E37F9E2; Tue, 29 Oct 2024 03:16:31 -0700 (PDT)
To: nick.dilssner@kirchbergerknorr.de, Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu, ietf@adambarth.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20241029101631.526E37F9E2@rfcpa.rfc-editor.org>
Date: Tue, 29 Oct 2024 03:16:31 -0700
Message-ID-Hash: R6M6FKGAPCOR2AUQWSCF6EN6MQC3FWR2
X-Message-ID-Hash: R6M6FKGAPCOR2AUQWSCF6EN6MQC3FWR2
X-MailFrom: wwwrun@rfcpa.rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-websec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: francesca.palombini@ericsson.com, iesg@ietf.org, websec@ietf.org, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [websec] [Errata Rejected] RFC6797 (5204)
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/kQGNZQ0QFsL_ew4xJKwZf9sNdIg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Owner: <mailto:websec-owner@ietf.org>
List-Post: <mailto:websec@ietf.org>
List-Subscribe: <mailto:websec-join@ietf.org>
List-Unsubscribe: <mailto:websec-leave@ietf.org>

The following errata report has been rejected for RFC6797,
"HTTP Strict Transport Security (HSTS)".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5204

--------------------------------------
Status: Rejected
Type: Technical

Reported by: Nick Dilßner <nick.dilssner@kirchbergerknorr.de>
Date Reported: 2017-12-13
Rejected by: Francesca Palombini (IESG)

Section: 6.1.2

Original Text
-------------
includeSubDomains

Corrected Text
--------------
include-sub-domains

or

includesubdomains

Notes
-----
- In Section 6.1 the Strict-Transport-Security is defined as follows:

Strict-Transport-Security = "Strict-Transport-Security" ":" [ directive ]  *( ";" [ directive ] )

 - valueless Directive "includeSubDomains" is defined as a optional directive
 - a directive is definied as followed:

directive = directive-name [ "=" directive-value ]

 - so "includeSubDomains" is only a directive-name which is defined as "token"
 - according to "[RFC2616], Section 2.2" a token is any octet from 0 - 127 except CTL's (octets 0 - 31 + 127) and separators which NOT exclude '-' (octet 45)


So all Fine? Yes, BUT at [RFC6797], Section 6.1 the "overall reuqirements for directives", Rule 3 defines:

3.  Directive names are case-insensitive.

And there is no other specification in Section 6.1.2 or has a IANA policy definition [RFC5226] like it is defined for additionals.



 - That means the "directive-name" includeSubDomains is "case-insensitive"!

The "case-sensitive" camelized directive-name is misleading, because of many other definitions with "-", like seen in all examples or in Header Field itself. 


 - to aware the clear understanding the "directive definition" in section 6.1.2 and ALL occurences needs to be renamend.

the minimum of renaming is "includesubdomains" OR "INCLUDESUBDOMAINS", but this is not readable anymore.
- So it should be renamed like other valuless directives for Example the "schemes-source's" directives at "Content-Security-Policy", which means:

"include-sub-domains"


Best Regards

Nick
 --VERIFIER NOTES-- 
That is true, directive names are case insensitive, which means that, except for possibly misleading the reader, includeSubDomains and includesubdomains are equivalent. Making this change might be considered an editorial fix, however I do not believe this is necessary. Changing the name to "include-sub-domains" can't be done via an erratum, and would need a publishing a consensus document and an update to this rfc.

--------------------------------------
RFC6797 (draft-ietf-websec-strict-transport-sec-14)
--------------------------------------
Title               : HTTP Strict Transport Security (HSTS)
Publication Date    : November 2012
Author(s)           : J. Hodges, C. Jackson, A. Barth
Category            : PROPOSED STANDARD
Source              : Web Security
Stream              : IETF
Verifying Party     : IESG