[websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04

Thu, 08 Mar 2012 15:41:16 -0800 

Thanks for the review Julian,

> The ABNF now is:
>
>       Strict-Transport-Security = "Strict-Transport-Security" ":"
>                                      directive *( ";" [ directive ] )
>
>
>       directive                 = token [ "=" ( token | quoted-string ) ]
>
> ...and I think this is almost right.
>
> It does allow empty directives (thus repeated or trailing semicolons),
> but not leading semicolons.
>
> So
>
>    STS: foo ;
>
> parses, but
>
>    STS: ; foo
>
> does not.

well, I guess a question is whether we want "STS: ; foo "  to  "parse" ?

I'm not sure we do, but can be convinced otherwise.
Part of the intention of the above ABNF is that the STS header must have at least one directive (i.e. max-age - given the constraints in the prose following the ABNF)
I suppose what you're trying to say is that all of the below ought to "parse" successfully... 

   STS: max-age=nnnnnn

   STS: max-age=nnnnnn

   STS: max-age=nnnnnn ;

   STS: max-age=nnnnnn ; ; ;

   STS: ; max-age=nnnnnn

   STS: ; ; ; max-age=nnnnnn

   STS: ; ; ; max-age=nnnnnn  ; ; ;

?


> This could be fixed by saying:
>
>       Strict-Transport-Security = "Strict-Transport-Security" ":"
>                                   *( ";" [ directive ] )
>
Yes, that's allow for the constructions above, along with (at most one instance of) includeSubDomains being interspersed between any of the semicolons. 



> I like the subsequent prose about the additional constraints.

good :)



> For 6.1.1 and 6.1.2, we still need to decide whether a) quoted-string
> should be legal here (I understand that's
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/33>)
sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and includeSubDomains directives, and neither of those directives employ quoted-string, and I don't think they need to or should. 

I conceded to add quoted-string syntax to the generic directive syntax of..

     directive                 = token [ "=" ( token | quoted-string ) ]
..in case someone at some time wishes to add an extension directive employing quoted-string syntax.
Are you saying that sections 6.1.1 and 6.1.2 need to explicitly declare non-use of quoted-string ? Presently it's implied by the declared ABNF syntax for those two defined directives.. 

    max-age       = "max-age" "=" delta-seconds

    delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>

..and..

       includeSubDomains = "includeSubDomains"


thanks again,

=JeffH



_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Reply via email to