On 2011-11-09 21:09, Chris Palmer wrote:
On Wed, Nov 9, 2011 at 12:34 AM, Julian Reschke<[email protected]> wrote:
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-17.html#rfc.section.3.1>
So decide whether you want to allow multiple header fields (in which case
you should use the ABNF list notation used in 2616/HTTPbis), *or* define the
syntax so that a "," introduced by header field recombination can be
detected by recipients.
I'm sorry, I don't know what you mean by "a ',' introduced by header
field recombination".
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>
What grammar do you prefer?
I would recommend a syntax that uses a single delimiter. If you use ";",
you'd be able to detect the case mentioned above. If you use ",", you
could support multiple header fields (if this is desired).
By using both however, you gain nothing (IHMO), and create potential
problems.
Let's assume it's ";". In that case I would write:
directives = max-age LWS *( ";" LWS [ fingerprint ] )
thus require max-age to be always first (your grammar allows it at the
beginning and at the end, but not inbetween; this is likely to cause
confusion.
Then make fingerprint a proper name/value pair, as in other HTTP
parameters, and put the name of the hash into the parameter name. So
instead of
Public-Key-Pins: max-age=31536000;
pins=sha1-4n972HfV354KP560yw4uqe/baXc=,
sha256-LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=
you'd have
Public-Key-Pins: max-age=31536000;
pins-sha1=4n972HfV354KP560yw4uqe/baXc=;
pins-sha256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=
Finally, allow quoted-string notation,
Public-Key-Pins: max-age=31536000;
pins-sha1="4n972HfV354KP560yw4uqe/baXc=";
pins-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="
so that characters not allowed (such as "/") in HTTP tokens work.
Best regards, Julian
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
