[HASMAT] fyi: WebSocket and HASMAT
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 25 June 2010 17:28 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 50AA43A69A5 for <hasmat@core3.amsl.com>; Fri, 25 Jun 2010 10:28:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.447
X-Spam-Level:
X-Spam-Status: No, score=-1.447 tagged_above=-999 required=5 tests=[AWL=-1.041, BAYES_20=-0.74, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zMlTDEVGL9p for <hasmat@core3.amsl.com>; Fri, 25 Jun 2010 10:28:32 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 3F0533A6359 for <hasmat@ietf.org>; Fri, 25 Jun 2010 10:28:32 -0700 (PDT)
Received: (qmail 2431 invoked by uid 0); 25 Jun 2010 17:28:41 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 25 Jun 2010 17:28:41 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=AA5E/Mid8HxBfWrf8mhkTKH9ej5br6EQXePtUNQkmVtdVO0JiHZAKgWf++Fr/Du2ewYpwpCftj7nHqsmGVQutmhnVB1LyHdmUyxbGBnvomzfGZoKkDqfIjeeJkTtu4bJ;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.49.165]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OSChl-00018X-2M for hasmat@ietf.org; Fri, 25 Jun 2010 11:28:41 -0600
Message-ID: <4C24E748.3020009@KingsMountain.com>
Date: Fri, 25 Jun 2010 10:28:40 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF HASMAT list <hasmat@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [HASMAT] fyi: WebSocket and HASMAT
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 17:28:33 -0000
fyi, one of the co-chairs of HyBi (aka websockets (hybi == hypertext bidirectional (protocol))) WG points out intersections between HyBi and HASMAT.. Subject: [hybi] WebSocket and HASMAT (was>:IETF BoF @IETF-78 Maastricht: HASMAT - HTTP Application Security Minus Authentication and Transport) From: Salvatore Loreto <salvatore.loreto@ericsson.com> Date: Thu, 10 Jun 2010 10:04:50 +0300 To: hybi@ietf.org Hi there, the HASMAT BoF is really important for HyBi, and I encourage all the people interested and involved in the WebSocket protocol design to participate to the BoF and become involved in the HASMAT mailing list discussion among the other stuff: - HASMAT is related to Issue 3 we have currently in the Issues tracker: http://trac.tools.ietf.org/wg/hybi/trac/ticket/3 - and it is also related to the security requirement we have in the requirement draft: http://tools.ietf.org/html/draft-ietf-hybi-websocket-requirements-00#section-3.4 and in particular to the following one REQ. 19: WebSocket should be designed to be robust against cross- protocol attacks. The protocol design should consider and mitigate the risk presented by WebSocket clients to existing servers (including HTTP servers). It should also consider and mitigate the risk to WebSocket servers presented by clients for other protocols (including HTTP). cheers /Sal