Re: [websec] Strict-Transport-Security syntax redux

Phillip Hallam-Baker <hallam@gmail.com> Sat, 29 October 2011 18:27 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87C6621F85B1 for <websec@ietfa.amsl.com>; Sat, 29 Oct 2011 11:27:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.646
X-Spam-Level:
X-Spam-Status: No, score=-2.646 tagged_above=-999 required=5 tests=[AWL=-0.714, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FR1-7JKEb2Hj for <websec@ietfa.amsl.com>; Sat, 29 Oct 2011 11:27:51 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id ADF3E21F85A8 for <websec@ietf.org>; Sat, 29 Oct 2011 11:27:51 -0700 (PDT)
Received: by ggnv1 with SMTP id v1so5520300ggn.31 for <websec@ietf.org>; Sat, 29 Oct 2011 11:27:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Wsg1QJxFaZSDMDft9mYwZ4Ts0BPUKfVAFFuT94M3lA8=; b=uFZh+NqtC6WTH6+ptwz+JIOfbjLP22FgkhF386nqTnqejxC7Bgz4TJodcN4krIRwq9 wyEYjxJBCfCD0xTRCMAynq/JX+IZE2pRTewTObw9M9CHuTN+8fz6LhcVkVdQp79gGWbG Vckl2bDKra8wKtLHvRrwZdhYGX3WpluX3YlfE=
MIME-Version: 1.0
Received: by 10.182.17.103 with SMTP id n7mr1606668obd.68.1319912870387; Sat, 29 Oct 2011 11:27:50 -0700 (PDT)
Received: by 10.182.42.99 with HTTP; Sat, 29 Oct 2011 11:27:50 -0700 (PDT)
In-Reply-To: <4EABA42F.2070900@gmx.de>
References: <4EAB6808.7030006@KingsMountain.com> <4EABA42F.2070900@gmx.de>
Date: Sat, 29 Oct 2011 14:27:50 -0400
Message-ID: <CAMm+LwjXCsx-k+P=CX+sjUGF76qtRuxiCWLC2gYfp5Kfdm1PAw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: multipart/alternative; boundary=f46d04447429c620ea04b0742986
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Oct 2011 18:27:52 -0000

Use of lowercase may is certainly allowed.

But it causes so much hassle as people (1) keep asking if it should be MAY
and (2) 'correct' the draft to use upper case.

It is easier to try using other words instead. Which is not easy since it
tends to crop up all the time in non-normative text.


Probably the best long term solution would be to have an XML2RFC tag that
declared a section as non-normative so that the nits checker can then catch
unintentional uppercasing.


On Sat, Oct 29, 2011 at 2:58 AM, Julian Reschke <julian.reschke@gmx.de>wrote;wrote:

> On 2011-10-29 04:42, =JeffH wrote:
>
>>  >> The max-age directive MUST appear once in the
>> Strict-Transport-Security
>>  >> header field value. The includeSubDomains directive MAY appear once.
>>  >> The order of appearance of directives in the Strict-Transport-Security
>>  >> header field value is not significant.
>>  >>
>>  >> Additional directives extending the the semantic functionality of
>>  >> the Strict-Transport-Security header field may be defined in other
>>  >
>>  > MAY or might ?
>>
>> yes, a good question.
>>
>> I believe that there's examples in other RFCs of the use of the
>> lower-case "may" in situations similar to this (I've seen it discussed
>> many times over the years). I.e., not all instances of "may" in any
>> given RFC are capitalized "MAY"s. In this case, "MAY" isn't appropriate
>> IIRC.
>>
>> And yes, a way to avoid that question/issue is to use a different word
>> such as "might" or "can", which i can do. I just thought a "may" has
>> more correct connotations (but I /knew/ it'd come up as a question :)
>>
>> thanks,
>>
>
> +1 to "can"
>
> ______________________________**_________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/**listinfo/websec<https://www.ietf.org/mailman/listinfo/websec>
>



-- 
Website: http://hallambaker.com/