[http-state] Draft httpstate minutes IETF-78 Maastricht
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 20 August 2010 20:59 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D7CA33A6881 for <http-state@core3.amsl.com>; Fri, 20 Aug 2010 13:59:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.058
X-Spam-Level:
X-Spam-Status: No, score=-100.058 tagged_above=-999 required=5 tests=[AWL=-2.059, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, SARE_FWDLOOK=1.666, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UkUFlbmyhEOr for <http-state@core3.amsl.com>; Fri, 20 Aug 2010 13:59:49 -0700 (PDT)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 797C83A6A7C for <http-state@ietf.org>; Fri, 20 Aug 2010 13:59:49 -0700 (PDT)
Received: (qmail 32571 invoked by uid 0); 20 Aug 2010 21:00:22 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 20 Aug 2010 21:00:22 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=PaYhXCDoRE4gYpuZ2t9ykyAE9t6R7AuhdiSOOu2jLbycVMHr4ssxply7FSlhAZuy7kUgTWOMoqMqrdUj3eQ5+HE0l/0fO8LMoa7CqFeoTs1hqeKRsWv1SM+4q/NLgGxZ;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.205]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OmYhJ-0006Ze-Up for http-state@ietf.org; Fri, 20 Aug 2010 15:00:22 -0600
Message-ID: <4C6EECE4.801@KingsMountain.com>
Date: Fri, 20 Aug 2010 14:00:20 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF HTTP State WG <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [http-state] Draft httpstate minutes IETF-78 Maastricht
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2010 20:59:51 -0000
Please fine draft httpstate minutes from IETF-78 Maastricht below. If you have comments on the below, please send them to the list (preferrably) or to me by Wed 25-Aug. (the deadline for getting them into the IETF-78 proceedings is the following Fri). thanks, =JeffH ======================================== IETF httpstate WG DRAFT Minutes for IETF-78 Maastricht, NL ---------------------------------------- Monday 1740-1940 Afternoon Session III ======================================== Chair: Jeff Hodges <Jeff.Hodges@KingsMountain.com> Minute Taker: Paul Hoffman agenda: http://www.ietf.org/proceedings/78/agenda/httpstate.txt 1. Agenda bash & Blue sheets No bashing 2. Review changes from -08 (LCWD) to -09 Presented by Adam Barth spec: http://tools.ietf.org/html/draft-ietf-httpstate-cookie Gave long list of small changes on main slide Julian Reschke: Don't worry about the URL for the original cookie spec You'll have to deal with the RFC Editor anyway Adam: Can it be hosted on an IETF web site? Paul Hoffman: No, still no policy for this Special processing of date header -- Only vendor doing this is Firefox Adam: will register a bug on this with Mozilla Will put out a -10 right after the meeting ends (done) 3. Discuss changes yet to be finished (if any) Julian: Wants more ability to read as a stand-alone document Adam: Names for algorithms vs. parameters passed to algorithms Julian: maybe make an appendix to describe these hooks Julian: Inconsistent that some requirements are in ABNF and some is in code The current doc is hard to understand for people Intro to algorithms could describe the difference between strict vs. non-strict Adam: risk of restating is that people who only read one part might get it wrong Mark Nottingham: clearly state that the algorithm is mandatory but also include parts Julian: is sad that you have to run the algorithm in your head in order to understand what the actual cookie header looks like Adam: maybe add introductory text to each algorithm saying what it will do Jeff Hodges: wants section 5 to explicitly say that it can parse anything that comes in Peter St.Andres: any sort of garbage come in so describe what to do with it Adam: interesting that this is odd for this world, this is the part that tells you what to do JeffH: (queries room) do we need to do another WG last call Room's Answer: no 4. Discuss possible future work post-httpstate-cookie "Public suffix" http://tools.ietf.org/html/draft-pettersen-subtld-structure-06 Yngve Pettersen Possibly want to create a black list to help the ".co.uk" problem with cookies Possibly make the rule that a cookie can only be for the host or a subzone Possible denial of service from malicious cookies Peter: maybe get rid of theory of "subdomain" Yngve: but people have deployed servers this way Martin Thompson: Had a discussion in HTTPbis of resources that don't have a domain in them... What would you do with that? Adam: already covered here because you don't have to do HTTP Adam: it would be better if each domain had a separate cookie store Maybe sites that want to have many coordinated hosts should just do it on their own Knows how to restrict but doesn't know how to make federation easier Paul: DNS people really hate this because it smudges administrative zones Yngve: but it does not reflect [what?] Adam: this is not good for forward-looking behavior Peter: A useful contribution might be to craft an informational document on what people are doing today "Securing HTTP State Management Information" http://tools.ietf.org/html/draft-salgueiro-secure-state-management [ Gonzalo Salgueiro wasn't present ] Adam: if you can see someone's cookie you can forward their state to somewhere else This adds some encryption to prevent that Mark: is this signing? Adam: roughly, yes "CAKE" (aka "Simple HTTP State Management") http://www.ietf.org/mail-archive/web/http-state/current/msg00893.html Adam Barth Every origin (host+scheme+port) has a nonce When client makes a request, it asks the nonce Goal: maintain state between client and server Main problem: integrity -- If user is on HTTPS, attackers can overwrite your state JeffH: strict transport security is trying to mitigate this In Gmail: an attacker attaches its cookie to another message This is about clobbering in the cookie store, not in transit Mark: there is some work being discussed in terms of generic HTTP header signing in the headers Adam: need a way to segregate between HTTP and HTTPs Mark: Also need to segregate between tabs Mark: is the goal to replace or supplement current cookies? Adam: replace, in the use care we are most interested in: secure sessions Most sites use nonces for state management JeffH: in general, we need to think about HTTP state management overall, not just cookies, hence CAKE is interesting Martin: the nice characteristic of cookies is that they are really flexible Maybe just add a few restrictions. ?: it's common to use HTTP for everything but use TLS for getting passwords Martin: just use redirects, like OAUTH Adam: that is not secure, can get into the attackers' context Mark: maybe make cookies read-only on HTTP and write-only or read-write on HTTPS. Different way to do what we want is is TLS client certs Maybe have the client generate a self-signed certificate for a limited period of time Can pregenerate the certs; they are not server-specific Yngve: proposed alternate idea, will send it to Adam Carrasco: asked for more examples Adam: send public key in HTTP, then use it in HTTPS Has advantage of reducing number of cookies Mark: will talk more about signing HTTP headers a la DKIM, maybe with these ephemeral certs. Mostly interested in response signing, but some in request signing Cyrus Daboo: ischedule does DKIM-like signing for headers Needs to be dynamic Yngve: can agree to a key and just MAC Adam: might not work that well in federation Jeff: this interacts with HAZMAT Can prevent this being used over non-secure transport Peter: there seems to be some energy in doing this More than just state management Ekr: thinks it is non-crazy idea Encourages to bring it to the TLS WG at the same time --- end