On 01/05/2012 11:50 AM, Anne van Kesteren wrote:
On Thu, 05 Jan 2012 16:59:58 +0100, Paul Hoffman <paul.hoff...@vpnc.org>
wrote:
"We invented a header that your message-producing software must
special-case" is not a good way to get security.
If the header-consuming software works that way, it might be the only
way. What the right way to go here is kind of depends on how header
field values are typically implemented in practice. I suspect it to be
rather messy.
How about: servers generating the header MUST use quoted-string whenever
quoted-string is necessary, otherwise they SHOULD use the token
production on Mondays, Wednesdays, and Fridays and they SHOULD use
quoted-string on Tuesday, Thursday, Saturday, and Sunday.
Yes, I'm joking. But only half-way. I have a deep suspicion that
something like that might actually yield the best interoperability
overall. One thing worse than having arbitrarily-chosen redundant code
paths is having protocol grammar that's never ever used - until it's needed.
Meredith Patterson, Sergey Bratus, et al. have been talking about the
deep logical connections between lanugage expressive power,
generator/parser differences, and ... working exploits.
http://www.cs.dartmouth.edu/~sergey/langsec/
28c3: The Science of Insecurity
http://www.youtube.com/watch?v=3kEfedtQVOY
Worth watching.
And of course: Occupy Babel!
http://www.cs.dartmouth.edu/~sergey/langsec/occupy/
:-)
- Marsh
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec