Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04

=JeffH <Jeff.Hodges@KingsMountain.com> Thu, 05 April 2012 22:40 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA6521F871C for <websec@ietfa.amsl.com>; Thu, 5 Apr 2012 15:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.988
X-Spam-Level:
X-Spam-Status: No, score=-97.988 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyishE+zJJu0 for <websec@ietfa.amsl.com>; Thu, 5 Apr 2012 15:40:21 -0700 (PDT)
Received: from oproxy5-pub.bluehost.com (oproxy5.bluehost.com [IPv6:2605:dc00:100:2::a5]) by ietfa.amsl.com (Postfix) with SMTP id 8BE7D21F86DE for <websec@ietf.org>; Thu, 5 Apr 2012 15:40:21 -0700 (PDT)
Received: (qmail 22422 invoked by uid 0); 5 Apr 2012 22:40:20 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 5 Apr 2012 22:40:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=JPR25WSBTCNlIPoRGoraiJViu5D9PWGRPd8ZgbMzBBk=; b=YYlT8AIKTihcMq6fTZpKIGA6fCOeuVIAlUnGPEeNEo4WwF2YYhte7g5TiFmVl5nvGMO7a+jfjEriAocgH7qitepfhbP/GiQuXq5BJ24K1k5RqNTMvwezRFH377sAPGDu;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.11]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1SFvLn-0006oQ-NC; Thu, 05 Apr 2012 16:40:19 -0600
Message-ID: <4F7E1F51.9040002@KingsMountain.com>
Date: Thu, 05 Apr 2012 15:40:17 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2012 22:40:22 -0000

Thanks for the feedback, proposed edits, and hacked xml2rfc source.

 > So this
 >
 > - states that the given ABNF applies to the value after q-s processing
 > (when needed)
 > - changes the ABNF to specify only the *value*

Ok.  so you suggested..

6.1.1. The max-age Directive

     The REQUIRED max-age directive specifies the number of seconds, after
     the reception of the STS header field, during which the UA regards
     the host, from whom the message was received, as a Known HSTS Host
     (see also Section 8.1.1 "Noting a HSTS Host", below).

     The syntax of the max-age directive's value (after potential
     applying quoted-string unescaping) is:

      max-age-v     = delta-seconds
      delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>

     Note:  A max-age value of zero signals the UA to cease regarding the
            host as a Known HSTS Host.



..and I presently am polishing that to be..


6.1.1. The max-age Directive

     The REQUIRED "max-age" directive specifies the number of seconds,
     after the reception of the STS header field, during which the UA
     regards the host, from whom the message was received, as a Known HSTS
     Host (see also Section 8.1.1 "Noting a HSTS Host", below).

     The max-age directive value has the following syntax
     (after quoted-string unescaping, if necessary):

      max-age-value = delta-seconds
      delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>

     Note:  A max-age value of zero signals the UA to cease regarding the
            host as a Known HSTS Host.



I'm a little concerned that without an explicit syntax declaration such as..

      max-age       = "max-age" "=" max-age-value

..we'll confuse some readers ("what do i actually put in the STS header for 
this directive??"), but hopefully the examples in section 6.2, as well as 
putting the directive name in quotes in the first paragraph, will address this.

thx,

=JeffH