Re: [websec] Strict-Transport-Security syntax redux

"Anne van Kesteren" <annevk@opera.com> Thu, 05 January 2012 17:50 UTC

Return-Path: <annevk@opera.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2078D21F8775 for <websec@ietfa.amsl.com>; Thu, 5 Jan 2012 09:50:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4jA7bF7VXBHX for <websec@ietfa.amsl.com>; Thu, 5 Jan 2012 09:50:11 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id DE20021F8755 for <websec@ietf.org>; Thu, 5 Jan 2012 09:50:07 -0800 (PST)
Received: from annevk-macbookpro.local (a80-127-246-96.mobile.xs4all.nl [80.127.246.96]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q05Ho218031178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <websec@ietf.org>; Thu, 5 Jan 2012 17:50:04 GMT
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: websec@ietf.org
References: <4EAB66B3.4090404@KingsMountain.com> <4EABB25E.9000900@gmx.de> <4EFC5F7B.7050304@gmx.de> <CAJE5ia_HhenArVey=5-ttLqh4-vbBE01TFZKuzAmAtHQJQJ3kQ@mail.gmail.com> <4EFCD7E4.5060507@gmx.de> <CAJE5ia-w47HHhnTBAE_PMApAAdCu=6PJexaaoJO0MZ23Ae-vcw@mail.gmail.com> <4EFCDA9C.90308@gmx.de> <CAJE5ia-E1nhN1YGV6uy3uEq4oboQowDm4FboKbWV1kunHQmXPw@mail.gmail.com> <4EFCDDD5.6040005@gmx.de> <CAJE5ia8CL9ozRJgRNCdu6XwVT0paVuVUreB12f-BiMvH+wiq6A@mail.gmail.com> <4EFD73E6.1060506@gmx.de> <CAJE5ia8RBa8iCd_9TjXyzG54VASa6qqGomsO9gL-qQ2ia=BKLg@mail.gmail.com> <4EFD7C09.9050702@gmx.de> <CAJE5ia8aN_MKUX_7ehp6siw=CY7nC4aSRPoPcsaDX8+emwaFVw@mail.gmail.com> <4EFD8BCE.7010909@gmx.de> <CAJE5ia9cziSx-xb6nCEFXJkbu2Ls_ZQmYHpfrC7UK3ig3ZmM2g@mail.gmail.com> <4F052D2E.5050200@gondrom.org> <op.v7lqsdyu64w2qv@annevk-macbookpro.local> <4F056553.9030409@gmx.de> <553F526C-4433-489B-80B5-4C29E5FB0DC4@vpnc.org>
Date: Thu, 05 Jan 2012 18:50:01 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Anne van Kesteren" <annevk@opera.com>
Organization: Opera Software
Message-ID: <op.v7mg5ns564w2qv@annevk-macbookpro.local>
In-Reply-To: <553F526C-4433-489B-80B5-4C29E5FB0DC4@vpnc.org>
User-Agent: Opera Mail/11.60 (MacIntel)
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 17:50:12 -0000

On Thu, 05 Jan 2012 16:59:58 +0100, Paul Hoffman <paul.hoffman@vpnc.org>  
wrote:
> FWIW, I'm with Julian on this, particularly:
>
>> - principle of least surprise and consistency - if quoted-string works  
>> in other header fields with param syntax, why not here?
>
> "We invented a header that your message-producing software must  
> special-case" is not a good way to get security.

If the header-consuming software works that way, it might be the only way.  
What the right way to go here is kind of depends on how header field  
values are typically implemented in practice. I suspect it to be rather  
messy.


-- 
Anne van Kesteren
http://annevankesteren.nl/