Re: [http-state] Seeking feedback on Security Considerations
Achim Hoffmann <ah@securenet.de> Sun, 28 February 2010 12:22 UTC
Return-Path: <ah@securenet.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD3E73A8A91 for <http-state@core3.amsl.com>; Sun, 28 Feb 2010 04:22:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.558
X-Spam-Level:
X-Spam-Status: No, score=0.558 tagged_above=-999 required=5 tests=[AWL=0.393, BAYES_40=-0.185, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHuNjRW1PyFW for <http-state@core3.amsl.com>; Sun, 28 Feb 2010 04:22:42 -0800 (PST)
Received: from munich.securenet.de (munich.securenet.de [82.135.17.200]) by core3.amsl.com (Postfix) with ESMTP id 008BD3A88F3 for <http-state@ietf.org>; Sun, 28 Feb 2010 04:22:42 -0800 (PST)
Received: from oxee.securenet.de (unknown [10.30.18.40]) by munich.securenet.de (Postfix) with ESMTP id 8743D27192 for <http-state@ietf.org>; Sun, 28 Feb 2010 13:22:41 +0100 (CET)
Received: by oxee.securenet.de (Postfix, from userid 65534) id 6933D140202A; Sun, 28 Feb 2010 13:22:41 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by oxee.securenet.de (Postfix) with ESMTP id D28D5140242E; Sun, 28 Feb 2010 13:22:40 +0100 (CET)
Received: from oxee.securenet.de ([127.0.0.1]) by localhost (oxee.securenet.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20827-02; Sun, 28 Feb 2010 13:22:40 +0100 (CET)
Received: from [172.16.18.33] (ah.vpn.securenet.de [172.16.18.33]) by oxee.securenet.de (Postfix) with ESMTP id 23B181402425; Sun, 28 Feb 2010 13:22:39 +0100 (CET)
Message-ID: <4B8A600E.9050306@securenet.de>
Date: Sun, 28 Feb 2010 13:22:38 +0100
From: Achim Hoffmann <ah@securenet.de>
Organization: SecureNet
User-Agent: who">cares?
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <7789133a1002130001l6137f704va9e04a4edade1ee7@mail.gmail.com>
In-Reply-To: <7789133a1002130001l6137f704va9e04a4edade1ee7@mail.gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Open-Xchange Express amavisd-new at oxee.securenet.de
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Seeking feedback on Security Considerations
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2010 12:22:42 -0000
Silly question about the used terms (sse partial quote below also): Sometimes the text refers to "application", sometimes to "server". Currently cookies, in particular the cookie protocol, are handled mainly by servers, but the cookie and its value (key-value pair) are used by the application (or the framework there). And the application is where all the secrity issues occour! Without going into the precise definition where technically the server ends and the application begins, I'd recommend that these two terms are used interchangable. Should be mentioned somewhere. Does this make sense? Achim > The cookie protocol is NOT RECOMMENDED for new applications. > > For applications that do use the cookie protocol, servers SHOULD NOT > rely upon cookies for security. > > For servers that do use cookies for security, servers SHOULD use a > redundant form of authentication, such as HTTP authentication or TLS > client certificates.
- [http-state] Seeking feedback on Security Conside… Adam Barth
- Re: [http-state] Seeking feedback on Security Con… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Seeking feedback on Security Con… Dan Winship
- Re: [http-state] Seeking feedback on Security Con… Adam Barth
- Re: [http-state] Seeking feedback on Security Con… Adam Barth
- Re: [http-state] Seeking feedback on Security Con… Achim Hoffmann
- Re: [http-state] Seeking feedback on Security Con… Achim Hoffmann