IETF Logo Mail Archive

[http-state] Draft httpstate minutes IETF-78 Maastricht

=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 20 August 2010 20:59 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D7CA33A6881 for <http-state@core3.amsl.com>; Fri, 20 Aug 2010 13:59:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.058
X-Spam-Level:
X-Spam-Status: No, score=-100.058 tagged_above=-999 required=5 tests=[AWL=-2.059, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, SARE_FWDLOOK=1.666, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UkUFlbmyhEOr for <http-state@core3.amsl.com>; Fri, 20 Aug 2010 13:59:49 -0700 (PDT)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 797C83A6A7C for <http-state@ietf.org>; Fri, 20 Aug 2010 13:59:49 -0700 (PDT)
Received: (qmail 32571 invoked by uid 0); 20 Aug 2010 21:00:22 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 20 Aug 2010 21:00:22 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=PaYhXCDoRE4gYpuZ2t9ykyAE9t6R7AuhdiSOOu2jLbycVMHr4ssxply7FSlhAZuy7kUgTWOMoqMqrdUj3eQ5+HE0l/0fO8LMoa7CqFeoTs1hqeKRsWv1SM+4q/NLgGxZ;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.205]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OmYhJ-0006Ze-Up for http-state@ietf.org; Fri, 20 Aug 2010 15:00:22 -0600
Message-ID: <4C6EECE4.801@KingsMountain.com>
Date: Fri, 20 Aug 2010 14:00:20 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF HTTP State WG <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [http-state] Draft httpstate minutes IETF-78 Maastricht
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2010 20:59:51 -0000

Please fine draft httpstate minutes from IETF-78 Maastricht below.

If you have comments on the below, please send them to the list (preferrably) 
or to me by Wed 25-Aug.  (the deadline for getting them into the IETF-78 
proceedings is the following Fri).

thanks,

=JeffH


========================================
IETF httpstate WG
DRAFT Minutes for IETF-78  Maastricht, NL
----------------------------------------
Monday 1740-1940 Afternoon Session III
========================================

Chair: Jeff Hodges <Jeff.Hodges@KingsMountain.com>

Minute Taker: Paul Hoffman

agenda: http://www.ietf.org/proceedings/78/agenda/httpstate.txt


1. Agenda bash & Blue sheets

   No bashing


2. Review changes from -08 (LCWD)  to -09
    Presented by Adam Barth

    spec: http://tools.ietf.org/html/draft-ietf-httpstate-cookie

    Gave long list of small changes on main slide

    Julian Reschke: Don't worry about the URL for the original cookie spec
	   You'll have to deal with the RFC Editor anyway

	   Adam: Can it be hosted on an IETF web site?

	   Paul Hoffman: No, still no policy for this


    Special processing of date header --
	   Only vendor doing this is Firefox

    Adam:   will register a bug on this with Mozilla

            Will put out a -10 right after the meeting ends (done)


3. Discuss changes yet to be finished (if any)

    Julian: Wants more ability to read as a stand-alone document

    Adam:   Names for algorithms vs. parameters passed to algorithms

    Julian: maybe make an appendix to describe these hooks



    Julian: Inconsistent that some requirements are in ABNF and some is in
	   code The current doc is hard to understand for people Intro to
	   algorithms could describe the difference between strict vs.
            non-strict

     Adam:  risk of restating is that people who only read one part might
            get it wrong

     Mark Nottingham: clearly state that the algorithm is mandatory but also
                      include parts

     Julian: is sad that you have to run the algorithm in your head in order
             to understand what the actual cookie header looks like

     Adam:   maybe add introductory text to each algorithm saying what it
             will do



     Jeff Hodges: wants section 5 to explicitly say that it can parse
                  anything that comes in

     Peter St.Andres: any sort of garbage come in so describe what to do
                      with it

     Adam:   interesting that this is odd for this world, this is the part
             that tells you what to do



     JeffH: (queries room) do we need to do another WG last call

     Room's Answer: no


4. Discuss possible future work post-httpstate-cookie


"Public suffix"
     http://tools.ietf.org/html/draft-pettersen-subtld-structure-06
     Yngve Pettersen

       Possibly want to create a black list to help the ".co.uk" problem
       with cookies

       Possibly make the rule that a cookie can only be for the host or
       a subzone

       Possible denial of service from malicious cookies


     Peter: maybe get rid of theory of "subdomain"
     Yngve: but people have deployed servers this way

     Martin Thompson: Had a discussion in HTTPbis of resources that don't have
                      a domain in them... What would you do with that?
     Adam:  already covered here because you don't have to do HTTP


     Adam:  it would be better if each domain had a separate cookie store
	    Maybe sites that want to have many coordinated hosts should
	    just do it on their own Knows how to restrict but doesn't
             know how to make federation easier

     Paul:  DNS people really hate this because it smudges administrative zones

     Yngve: but it does not reflect [what?]

     Adam:  this is not good for forward-looking behavior
	
     Peter: A useful contribution might be to craft an informational
            document on what people are doing today


"Securing HTTP State Management Information"
     http://tools.ietf.org/html/draft-salgueiro-secure-state-management
     [ Gonzalo Salgueiro wasn't present ]

     Adam:   if you can see someone's cookie you can forward their state to
	    somewhere else This adds some encryption to prevent that

     Mark:   is this signing?
     Adam:   roughly, yes


"CAKE"  (aka "Simple HTTP State Management")
     http://www.ietf.org/mail-archive/web/http-state/current/msg00893.html
     Adam Barth

     Every origin (host+scheme+port) has a nonce

     When client makes a request, it asks the nonce

     Goal: maintain state between client and server

     Main problem: integrity -- If user is on HTTPS, attackers can
                   overwrite your state

       JeffH: strict transport security is trying to mitigate this

       In Gmail: an attacker attaches its cookie to another message
       This is about clobbering in the cookie store, not in transit


       Mark: there is some work being discussed in terms of generic
              HTTP header signing in the headers

       Adam: need a way to segregate between HTTP and HTTPs

       Mark: Also need to segregate between tabs


       Mark: is the goal to replace or supplement current cookies?

       Adam: replace, in the use care we are most interested in: secure
	      sessions Most sites use nonces for state management



     JeffH:   in general, we need to think about HTTP state
              management overall, not just cookies, hence CAKE is interesting

     Martin: the nice characteristic of cookies is that they are really
	    flexible Maybe just add a few restrictions.


     ?:      it's common to use HTTP for everything but use TLS for
             getting passwords

     Martin: just use redirects, like OAUTH
	
     Adam:    that is not secure, can get into the attackers' context



     Mark:   maybe make cookies read-only on HTTP and write-only or
             read-write on HTTPS. Different way to do what we want is
	    is TLS client certs Maybe have the client generate a
	    self-signed certificate for a limited period of time Can
             pregenerate the certs; they are not server-specific

     Yngve:  proposed alternate idea, will send it to Adam


     Carrasco: asked for more examples

     Adam:   send public key in HTTP, then use it in HTTPS
	    Has advantage of reducing number of cookies



     Mark:   will talk more about signing HTTP headers a la DKIM,
	    maybe with these ephemeral certs. Mostly interested
             in response signing, but some in request signing

        Cyrus Daboo: ischedule does DKIM-like signing for headers
	       Needs to be dynamic

        Yngve: can agree to a key and just MAC

        Adam:  might not work that well in federation

        Jeff:  this interacts with HAZMAT
	       Can prevent this being used over non-secure transport

        Peter: there seems to be some energy in doing this
	       More than just state management

        Ekr:   thinks it is non-crazy idea
	      Encourages to bring it to the TLS WG at the same time

---
end

v2.23.0 | Report a Bug | By Email