Re: [websec] HSTS ABNF still broken: requires leading semi-colon

Alexey Melnikov <alexey.melnikov@isode.com> Sat, 24 March 2012 10:18 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EDC921F8702 for <websec@ietfa.amsl.com>; Sat, 24 Mar 2012 03:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54aHv0Za+p7W for <websec@ietfa.amsl.com>; Sat, 24 Mar 2012 03:18:38 -0700 (PDT)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 7758321F86B5 for <websec@ietf.org>; Sat, 24 Mar 2012 03:18:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332584317; d=isode.com; s=selector; i=@isode.com; bh=rtiDIt0JJ0ngbC4AxY9LDuJjQtmufOfhk0JLERtDtK8=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=jnesxwKh58O2DK/ES5DdNqdHhHjnSjnQlgP4FmtdBBuCIGwAcn6O6e1kgsSFY3P4SK/tnx JCJH9/jSsMFKmbRNGgIr+C5Uci0CTxNABq2vgwR5PxIayD2EfXQ2RsoQHkgJhwob5tMB9Z GvQW8Lhw/O5GGYL8rxv9M3Dy8/0BvYw=;
Received: from [130.129.18.66] (dhcp-1242.meeting.ietf.org [130.129.18.66]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T22ffAAikr9I@rufus.isode.com>; Sat, 24 Mar 2012 10:18:37 +0000
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4F6D9F83.9000504@isode.com>
Date: Sat, 24 Mar 2012 11:18:43 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4F6D00C2.6090805@KingsMountain.com>
In-Reply-To: <4F6D00C2.6090805@KingsMountain.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] HSTS ABNF still broken: requires leading semi-colon
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2012 10:18:39 -0000

On 24/03/2012 00:01, =JeffH wrote:
> James.H.Manger@team.telstra.com wrote:
> >
> > The ABNF for the Strict-Transport-Security header looks wrong. It now
> > *requires* a leading ";" before the first directive.
>
> yes, it's broken as you indicate, and you aren't the only person to 
> have noticed it.
>
> I apologize (to all), I didn't thoroughly vet the suggested change to 
> the ABNF before incorporating it. doh.
>
> I suspect Julian just didn't look closely at his suggestion before 
> posting it..
>
>   https://www.ietf.org/mail-archive/web/websec/current/msg01020.html
>
>
> > I suggest the following ABNF.
> >
> >   Strict-Transport-Security = "Strict-Transport-Security" ":"
> >                                  directive *( ";" directive )
> >
> >   directive                 = [ token [ "=" ( token | quoted-string 
> ) ] ]
>
>
> Well, I've been counseled in the past (and agree with it) that having 
> an ABNF production that is potentially totally null is not such a good 
> idea.
>
> Perhaps this approach addresses this problem and is closer to what 
> Julian intended..
>
>      Strict-Transport-Security = "Strict-Transport-Security" ":"
>                                  [ directive ]  *( ";" [ directive ] )
>
>      directive                 = token [ "=" ( token | quoted-string ) ]
>
> ?
I think this is fine. And you can enforce "can't be totally null" in 
prose, if you don't want to fix this in ABNF.