Re: [websec] Strict-Transport-Security syntax redux
"Anne van Kesteren" <annevk@opera.com> Thu, 05 January 2012 17:50 UTC
Return-Path: <annevk@opera.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2078D21F8775 for <websec@ietfa.amsl.com>; Thu, 5 Jan 2012 09:50:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4jA7bF7VXBHX for <websec@ietfa.amsl.com>; Thu, 5 Jan 2012 09:50:11 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id DE20021F8755 for <websec@ietf.org>; Thu, 5 Jan 2012 09:50:07 -0800 (PST)
Received: from annevk-macbookpro.local (a80-127-246-96.mobile.xs4all.nl [80.127.246.96]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q05Ho218031178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <websec@ietf.org>; Thu, 5 Jan 2012 17:50:04 GMT
Content-Type: text/plain; charset="utf-8"; format="flowed"; delsp="yes"
To: websec@ietf.org
References: <4EAB66B3.4090404@KingsMountain.com> <4EABB25E.9000900@gmx.de> <4EFC5F7B.7050304@gmx.de> <CAJE5ia_HhenArVey=5-ttLqh4-vbBE01TFZKuzAmAtHQJQJ3kQ@mail.gmail.com> <4EFCD7E4.5060507@gmx.de> <CAJE5ia-w47HHhnTBAE_PMApAAdCu=6PJexaaoJO0MZ23Ae-vcw@mail.gmail.com> <4EFCDA9C.90308@gmx.de> <CAJE5ia-E1nhN1YGV6uy3uEq4oboQowDm4FboKbWV1kunHQmXPw@mail.gmail.com> <4EFCDDD5.6040005@gmx.de> <CAJE5ia8CL9ozRJgRNCdu6XwVT0paVuVUreB12f-BiMvH+wiq6A@mail.gmail.com> <4EFD73E6.1060506@gmx.de> <CAJE5ia8RBa8iCd_9TjXyzG54VASa6qqGomsO9gL-qQ2ia=BKLg@mail.gmail.com> <4EFD7C09.9050702@gmx.de> <CAJE5ia8aN_MKUX_7ehp6siw=CY7nC4aSRPoPcsaDX8+emwaFVw@mail.gmail.com> <4EFD8BCE.7010909@gmx.de> <CAJE5ia9cziSx-xb6nCEFXJkbu2Ls_ZQmYHpfrC7UK3ig3ZmM2g@mail.gmail.com> <4F052D2E.5050200@gondrom.org> <op.v7lqsdyu64w2qv@annevk-macbookpro.local> <4F056553.9030409@gmx.de> <553F526C-4433-489B-80B5-4C29E5FB0DC4@vpnc.org>
Date: Thu, 05 Jan 2012 18:50:01 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Anne van Kesteren <annevk@opera.com>
Organization: Opera Software
Message-ID: <op.v7mg5ns564w2qv@annevk-macbookpro.local>
In-Reply-To: <553F526C-4433-489B-80B5-4C29E5FB0DC4@vpnc.org>
User-Agent: Opera Mail/11.60 (MacIntel)
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 17:50:12 -0000
On Thu, 05 Jan 2012 16:59:58 +0100, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > FWIW, I'm with Julian on this, particularly: > >> - principle of least surprise and consistency - if quoted-string works >> in other header fields with param syntax, why not here? > > "We invented a header that your message-producing software must > special-case" is not a good way to get security. If the header-consuming software works that way, it might be the only way. What the right way to go here is kind of depends on how header field values are typically implemented in practice. I suspect it to be rather messy. -- Anne van Kesteren http://annevankesteren.nl/
- [websec] Strict-Transport-Security syntax redux Ryan Sleevi
- Re: [websec] Strict-Transport-Security syntax red… =JeffH
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- [websec] Strict-Transport-Security syntax redux =JeffH
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… =JeffH
- Re: [websec] Strict-Transport-Security syntax red… =JeffH
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Phillip Hallam-Baker
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Bjoern Hoehrmann
- Re: [websec] Strict-Transport-Security syntax red… Phillip Hallam-Baker
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… =JeffH
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Roy T. Fielding
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Tobias Gondrom
- Re: [websec] Strict-Transport-Security syntax red… Anne van Kesteren
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Paul Hoffman
- Re: [websec] Strict-Transport-Security syntax red… Anne van Kesteren
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Anne van Kesteren
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Bjoern Hoehrmann
- Re: [websec] Strict-Transport-Security syntax red… Adam Barth
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Paul Hoffman
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Marsh Ray
- Re: [websec] Strict-Transport-Security syntax red… Julian Reschke
- Re: [websec] Strict-Transport-Security syntax red… Bjoern Hoehrmann