Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)

David Morris <dwm@xpasc.com> Wed, 24 February 2010 21:58 UTC

Return-Path: <dwm@xpasc.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C712128C17D for <http-state@core3.amsl.com>; Wed, 24 Feb 2010 13:58:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.115
X-Spam-Level:
X-Spam-Status: No, score=-2.115 tagged_above=-999 required=5 tests=[AWL=0.485, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3t5Ib1JqfZ4i for <http-state@core3.amsl.com>; Wed, 24 Feb 2010 13:58:17 -0800 (PST)
Received: from mail.xpasc.com (mail.xpasc.com [68.164.244.189]) by core3.amsl.com (Postfix) with ESMTP id D3B993A85C5 for <http-state@ietf.org>; Wed, 24 Feb 2010 13:58:16 -0800 (PST)
Received: from bslepgate.xpasc.com (localhost.localdomain [127.0.0.1]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id C2A63101892 for <http-state@ietf.org>; Wed, 24 Feb 2010 14:00:25 -0800 (PST)
X-Propel-Return-Path: <dwm@xpasc.com>
Received: from mail.xpasc.com ([10.1.2.88]) by [127.0.0.1] ([127.0.0.1]) (port 7027) (Abaca EPG outproxy filter 3.1.1.9347 $Rev: 9262 $) id iz6Ura2om0p0; Wed, 24 Feb 2010 14:00:25 -0800
Received: from xpasc.com (egate.xpasc.com [10.1.2.49]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id 9F66D10188F for <http-state@ietf.org>; Wed, 24 Feb 2010 14:00:25 -0800 (PST)
Received: from egate.xpasc.com (egate.xpasc.com [10.1.2.49]) by xpasc.com (8.13.8/8.13.8) with ESMTP id o1OM0OIg024588 for <http-state@ietf.org>; Wed, 24 Feb 2010 14:00:24 -0800
Date: Wed, 24 Feb 2010 14:00:24 -0800 (PST)
From: David Morris <dwm@xpasc.com>
To: http-state <http-state@ietf.org>
In-Reply-To: <5c4444771002241328l12b25be9q2f2a5e8b57229762@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.1002241344140.18807@egate.xpasc.com>
References: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com> <4C374A2653EB5E43AF886CE70DFC567213CEF5CE46@34093-MBX-C03.mex07a.mlsrvr.com> <5c4444771002231929m3749c1c2g7903b444155dafa7@mail.gmail.com> <4B84DF96.7070709@gmx.de> <5c4444771002240926j3f4e859cq8bfcf7be34cf7e5f@mail.gmail.com> <Pine.LNX.4.64.1002241305230.18807@egate.xpasc.com> <5c4444771002241328l12b25be9q2f2a5e8b57229762@mail.gmail.com>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="17445122-872939474-1267048824=:18807"
X-Propel-ID: iz6Ura2om0p0
Subject: Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: http-state <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 21:58:18 -0000


On Wed, 24 Feb 2010, Adam Barth wrote:

> On Wed, Feb 24, 2010 at 1:19 PM, David Morris <dwm@xpasc.com> wrote:
> > On Wed, 24 Feb 2010, Adam Barth wrote:
> >>
> >> [[
> >>       The cookie protocol has many
> >>       historical infelicities that degrade its security and privacy.
> >> ]]
> >
> > Better, but I think 'infelicities' is not a common word and its use would
> > make the docuemnt harder to read.
> 
> That sounds like an editorial decision.  On a previous thread someone
> mentioned that they happened to like this word.  :)

I don't dislike the word, after I looked it up, I recognize it fits 
Consider this editorial advice ... don't use words that aren't commonly 
known to your english speaking audience. The remainder of the 
international audience won't have a clue and will either have to look the 
word up or choose to not accurately understand what you have written.

> 
> >> How do folks feel about this related statement in Security Considerations:
> >>
> >> [[
> >>         <t>For applications that use the cookie protocol, servers SHOULD
> >>         NOT rely upon cookies for security.</t>
> >> ]]
> >
> > Given that we are documenting an existing protocol, a SHOULD NOT statement
> > is probabaly excessive.
> >
> > I think we should instead stress (and document those that are known) that
> > there are many opportunities to compromise the content of cookies
> > including insertion of rogue cookies and/or removing valid cookies. Hence,
> > the design of applications which depend on cookies should carefully
> > consider the impact on application data integrity (and security) if
> > the cookie mechanism is subverted. In this context, I use application
> > in the classic sense of a set of computer software which delivers some
> > form of service to people or other computer applications.
> 
> We now have a fairly detailed Security Considerations section that
> discusses all the security issues I know of with the cookie protocol.
> If you know of things that aren't covered, please let me know and I'll
> add them.
> 
> I'm somewhat on the fence as to whether the general advice is helpful.

My basic point, which reiterates what others have experessed, is that we 
can't forbid usage for which you don't have a better proposed alternative.

Appropriate general advice ... "Read and understand the Security 
Considerations" section and take the steps appropriate and necessary
to reduce the risk to an acceptable level." Or something like that.