Re: [websec] Strict-Transport-Security syntax redux

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 09 January 2012 02:17 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D499021F85C6 for <websec@ietfa.amsl.com>; Sun, 8 Jan 2012 18:17:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.55
X-Spam-Level:
X-Spam-Status: No, score=-102.55 tagged_above=-999 required=5 tests=[AWL=0.049, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J954gkJyVR4x for <websec@ietfa.amsl.com>; Sun, 8 Jan 2012 18:17:33 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 667C821F85C0 for <websec@ietf.org>; Sun, 8 Jan 2012 18:17:33 -0800 (PST)
Received: from [10.20.30.103] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id q092HUBp032957 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 8 Jan 2012 19:17:30 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=us-ascii
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAJE5ia-5X_onfhUriRkQZNbVBa_qRBYPkUu8kyEVsrGmE41_=Q@mail.gmail.com>
Date: Sun, 8 Jan 2012 18:17:29 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <5E3D100F-863A-4C78-B432-B2A4104D3DDA@vpnc.org>
References: <CAJE5ia-E1nhN1YGV6uy3uEq4oboQowDm4FboKbWV1kunHQmXPw@mail.gmail.com> <4EFCDDD5.6040005@gmx.de> <CAJE5ia8CL9ozRJgRNCdu6XwVT0paVuVUreB12f-BiMvH+wiq6A@mail.gmail.com> <4EFD73E6.1060506@gmx.de> <CAJE5ia8RBa8iCd_9TjXyzG54VASa6qqGomsO9gL-qQ2ia=BKLg@mail.gmail.com> <4EFD7C09.9050702@gmx.de> <CAJE5ia8aN_MKUX_7ehp6siw=CY7nC4aSRPoPcsaDX8+emwaFVw@mail.gmail.com> <4EFD8BCE.7010909@gmx.de> <CAJE5ia9cziSx-xb6nCEFXJkbu2Ls_ZQmYHpfrC7UK3ig3ZmM2g@mail.gmail.com> <4F052D2E.5050200@gondrom.org> <aoakg7l45gfcrj731u6k652hjofhv12ocl@hive.bjoern.hoehrmann.de> <CAJE5ia-5X_onfhUriRkQZNbVBa_qRBYPkUu8kyEVsrGmE41_=Q@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2012 02:17:33 -0000

On Jan 8, 2012, at 4:25 PM, Adam Barth wrote:

> This header isn't defined in RFC 2616 and many headers defined outside
> of RFC 2616 don't use quoted-string.


I haven't completely kept up on new headers, but I think "many" may be an overstatement (but am happy to be proven wrong). The fact that one or two got it wrong shouldn't guide us: security robustness should.

--Paul Hoffman