[http-state] Fwd: I-D Action: draft-secure-cookie-session-protocol-05.txt
Peter Saint-Andre <stpeter@stpeter.im> Fri, 07 September 2012 20:50 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7704621F855F for <http-state@ietfa.amsl.com>; Fri, 7 Sep 2012 13:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.099
X-Spam-Level:
X-Spam-Status: No, score=-102.099 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, GB_AFFORDABLE=1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A32sYX-7ymxH for <http-state@ietfa.amsl.com>; Fri, 7 Sep 2012 13:50:16 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 64B2621F855E for <http-state@ietf.org>; Fri, 7 Sep 2012 13:50:16 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 370754005A for <http-state@ietf.org>; Fri, 7 Sep 2012 14:50:43 -0600 (MDT)
Message-ID: <504A5E07.6090205@stpeter.im>
Date: Fri, 07 Sep 2012 14:50:15 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120824 Thunderbird/15.0
MIME-Version: 1.0
To: http-state@ietf.org
References: <20120907204744.23917.21523.idtracker@ietfa.amsl.com>
In-Reply-To: <20120907204744.23917.21523.idtracker@ietfa.amsl.com>
X-Enigmail-Version: 1.4.4
X-Forwarded-Message-Id: <20120907204744.23917.21523.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: [http-state] Fwd: I-D Action: draft-secure-cookie-session-protocol-05.txt
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2012 20:50:17 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As seen in the I-D repository... - -------- Original Message -------- Subject: I-D Action: draft-secure-cookie-session-protocol-05.txt Date: Fri, 07 Sep 2012 13:47:44 -0700 From: internet-drafts@ietf.org Reply-To: internet-drafts@ietf.org To: i-d-announce@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : SCS: Secure Cookie Sessions for HTTP Author(s) : Stefano Barbato Steven Dorigotti Thomas Fossati Filename : draft-secure-cookie-session-protocol-05.txt Pages : 21 Date : 2012-09-07 Abstract: This document provides an overview of SCS, a small cryptographic protocol layered on top of the HTTP cookie facility, that allows its users to produce and consume authenticated and encrypted cookies, as opposed to usual cookies, which are un-authenticated and sent in clear text. An interesting property, rising naturally from the given confidentiality and authentication properties, is that by using SCS cookies, it is possible to avoid storing the session state material on the server side altogether. In fact, an SCS cookie presented by the user agent to the origin server can always be validated (i.e. possibly recognized as self-produced, fresh, untampered material) and, as such, be used to safely restore application state. Hence, typical use cases may include devices with little or no storage offering some functionality via an HTTP interface, as well as web applications with high availability or load balancing requirements which would prefer to handle application state without the need to synchronize the pool through shared storage or peering. Another noteworthy application scenario is represented by the distribution of authorized web content (e.g. by CDNs), where an SCS token can be used, either in a cookie or embedded in the URI, to provide evidence of the entitlement to access the associated resource by the requesting user agent. Nevertheless, its security properties allow SCS to be used whenever the privacy and integrity of cookies is a concern, by paying an affordable price in terms of increased cookie size, additional CPU clock cycles needed by the symmetric key encryption and HMAC algorithms, and related key management, which can be made a nearly transparent task. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-secure-cookie-session-protocol There's also a htmlized version available at: http://tools.ietf.org/html/draft-secure-cookie-session-protocol-05 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-secure-cookie-session-protocol-05 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBKXgcACgkQNL8k5A2w/vwZ7QCeMA0CDy07XkotnBjhuW8ZvqDm IZcAoLUmgW0bxxvQceI8jrSJIF0Dsy4L =E4C6 -----END PGP SIGNATURE-----
- [http-state] Fwd: I-D Action: draft-secure-cookie… Peter Saint-Andre