Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)

David Morris <dwm@xpasc.com> Wed, 24 February 2010 21:17 UTC

Return-Path: <dwm@xpasc.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26B093A8515 for <http-state@core3.amsl.com>; Wed, 24 Feb 2010 13:17:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.953
X-Spam-Level:
X-Spam-Status: No, score=-1.953 tagged_above=-999 required=5 tests=[AWL=0.646, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HoFuOYww9FQB for <http-state@core3.amsl.com>; Wed, 24 Feb 2010 13:17:42 -0800 (PST)
Received: from mail.xpasc.com (mail.xpasc.com [68.164.244.189]) by core3.amsl.com (Postfix) with ESMTP id B0C683A7664 for <http-state@ietf.org>; Wed, 24 Feb 2010 13:17:42 -0800 (PST)
Received: from bslepgate.xpasc.com (localhost.localdomain [127.0.0.1]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id 10701101852 for <http-state@ietf.org>; Wed, 24 Feb 2010 13:19:51 -0800 (PST)
X-Propel-Return-Path: <dwm@xpasc.com>
Received: from mail.xpasc.com ([10.1.2.88]) by [127.0.0.1] ([127.0.0.1]) (port 7027) (Abaca EPG outproxy filter 3.1.1.9347 $Rev: 9262 $) id iz6Ura2oljP0; Wed, 24 Feb 2010 13:19:51 -0800
Received: from xpasc.com (egate.xpasc.com [10.1.2.49]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id EC67A10184A for <http-state@ietf.org>; Wed, 24 Feb 2010 13:19:50 -0800 (PST)
Received: from egate.xpasc.com (egate.xpasc.com [10.1.2.49]) by xpasc.com (8.13.8/8.13.8) with ESMTP id o1OLJo9H021192 for <http-state@ietf.org>; Wed, 24 Feb 2010 13:19:50 -0800
Date: Wed, 24 Feb 2010 13:19:50 -0800 (PST)
From: David Morris <dwm@xpasc.com>
To: http-state <http-state@ietf.org>
In-Reply-To: <5c4444771002240926j3f4e859cq8bfcf7be34cf7e5f@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.1002241305230.18807@egate.xpasc.com>
References: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com> <4C374A2653EB5E43AF886CE70DFC567213CEF5CE46@34093-MBX-C03.mex07a.mlsrvr.com> <5c4444771002231929m3749c1c2g7903b444155dafa7@mail.gmail.com> <4B84DF96.7070709@gmx.de> <5c4444771002240926j3f4e859cq8bfcf7be34cf7e5f@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Propel-ID: iz6Ura2oljP0
Subject: Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: http-state <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 21:17:44 -0000

On Wed, 24 Feb 2010, Adam Barth wrote:

> 
> [[
>       The cookie protocol has many
>       historical infelicities that degrade its security and privacy.
> ]]

Better, but I think 'infelicities' is not a common word and its use would 
make the docuemnt harder to read.

> 
> How do folks feel about this related statement in Security Considerations:
> 
> [[
>         <t>For applications that use the cookie protocol, servers SHOULD
>         NOT rely upon cookies for security.</t>
> ]]

Given that we are documenting an existing protocol, a SHOULD NOT statement
is probabaly excessive.

I think we should instead stress (and document those that are known) that
there are many opportunities to compromise the content of cookies 
including insertion of rogue cookies and/or removing valid cookies. Hence,
the design of applications which depend on cookies should carefully
consider the impact on application data integrity (and security) if
the cookie mechanism is subverted. In this context, I use application 
in the classic sense of a set of computer software which delivers some
form of service to people or other computer applications.