Re: [http-state] Seeking feedback on Security Considerations

Achim Hoffmann <ah@securenet.de> Sun, 28 February 2010 12:22 UTC

Return-Path: <ah@securenet.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD3E73A8A91 for <http-state@core3.amsl.com>; Sun, 28 Feb 2010 04:22:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.558
X-Spam-Level:
X-Spam-Status: No, score=0.558 tagged_above=-999 required=5 tests=[AWL=0.393, BAYES_40=-0.185, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHuNjRW1PyFW for <http-state@core3.amsl.com>; Sun, 28 Feb 2010 04:22:42 -0800 (PST)
Received: from munich.securenet.de (munich.securenet.de [82.135.17.200]) by core3.amsl.com (Postfix) with ESMTP id 008BD3A88F3 for <http-state@ietf.org>; Sun, 28 Feb 2010 04:22:42 -0800 (PST)
Received: from oxee.securenet.de (unknown [10.30.18.40]) by munich.securenet.de (Postfix) with ESMTP id 8743D27192 for <http-state@ietf.org>; Sun, 28 Feb 2010 13:22:41 +0100 (CET)
Received: by oxee.securenet.de (Postfix, from userid 65534) id 6933D140202A; Sun, 28 Feb 2010 13:22:41 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by oxee.securenet.de (Postfix) with ESMTP id D28D5140242E; Sun, 28 Feb 2010 13:22:40 +0100 (CET)
Received: from oxee.securenet.de ([127.0.0.1]) by localhost (oxee.securenet.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20827-02; Sun, 28 Feb 2010 13:22:40 +0100 (CET)
Received: from [172.16.18.33] (ah.vpn.securenet.de [172.16.18.33]) by oxee.securenet.de (Postfix) with ESMTP id 23B181402425; Sun, 28 Feb 2010 13:22:39 +0100 (CET)
Message-ID: <4B8A600E.9050306@securenet.de>
Date: Sun, 28 Feb 2010 13:22:38 +0100
From: Achim Hoffmann <ah@securenet.de>
Organization: SecureNet
User-Agent: who">cares?
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <7789133a1002130001l6137f704va9e04a4edade1ee7@mail.gmail.com>
In-Reply-To: <7789133a1002130001l6137f704va9e04a4edade1ee7@mail.gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Open-Xchange Express amavisd-new at oxee.securenet.de
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Seeking feedback on Security Considerations
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2010 12:22:42 -0000

Silly question about the used terms (sse partial quote below also):

  Sometimes the text refers to "application", sometimes to "server".

Currently cookies, in particular the cookie protocol, are handled mainly
by servers, but the cookie and its value (key-value pair) are used by
the application (or the framework there). And the application is where
all the secrity issues occour!

Without going into the precise definition where technically the server
ends and the application begins, I'd recommend that these two terms are
used interchangable. Should be mentioned somewhere.

Does this make sense?
Achim

>    The cookie protocol is NOT RECOMMENDED for new applications.
> 
>    For applications that do use the cookie protocol, servers SHOULD NOT
>    rely upon cookies for security.
> 
>    For servers that do use cookies for security, servers SHOULD use a
>    redundant form of authentication, such as HTTP authentication or TLS
>    client certificates.