IETF Logo Mail Archive

Re: Signing Set-Cookie

Martin Thomson <mt@lowentropy.net> Tue, 07 June 2022 00:10 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D882C15790C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Jun 2022 17:10:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.757
X-Spam-Level:
X-Spam-Status: No, score=-2.757 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=yGu5bzQ+; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=pm7lT5K5
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMhHz9Y2L57g for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Jun 2022 17:10:47 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02139C15AAD1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 6 Jun 2022 17:10:46 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1nyMlv-0006KY-Nn for ietf-http-wg-dist@listhub.w3.org; Tue, 07 Jun 2022 00:08:35 +0000
Resent-Date: Tue, 07 Jun 2022 00:08:35 +0000
Resent-Message-Id: <E1nyMlv-0006KY-Nn@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mt@lowentropy.net>) id 1nyMlt-0006JD-PS for ietf-http-wg@listhub.w3.org; Tue, 07 Jun 2022 00:08:33 +0000
Received: from wout1-smtp.messagingengine.com ([64.147.123.24]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mt@lowentropy.net>) id 1nyMls-0006tq-Ab for ietf-http-wg@w3.org; Tue, 07 Jun 2022 00:08:33 +0000
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 3FC22320098F for <ietf-http-wg@w3.org>; Mon, 6 Jun 2022 20:08:17 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Mon, 06 Jun 2022 20:08:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1654560496; x=1654646896; bh=i6pny56OnC YFtvR2tv9cwjXNQwItr8ryfqlyth8v5Dw=; b=yGu5bzQ+FU0bjSchhYL9fEc5Rh +j6dLWM0Gt/DTc4RMvnZPM07wTfLzhJyoe7aZo1xkhq9jSm/H9r0KSiLn0Ubp6Su 8phZ34XE59c2XEfNNC3gPE9aLW430UBY9CUH8IPCyxpoRzhyCNUyIX6c9aW9Cvht oipaMnRc4CEsQhdWLTd35oPMnb3CO/Pn6yMVKNBghMlCU+95slKYhgIwgqPrg9jG Y0rJT26kjobcuXfm5lXlcQ7mmN2rX5Jr/vOegaijKcssg6kSL3aVhJTu73J9tRPg OFDT9ZZI7ABJAvTCCth9KRun6u0OShEc9a+8rNDO9QOLvY9dbz9xUAzWJdyA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1654560496; x=1654646896; bh=i6pny56OnCYFtvR2tv9cwjXNQwIt r8ryfqlyth8v5Dw=; b=pm7lT5K5ofHR8QP0SVzmE0oxtxoOqqWSDinenoAmhfXx YBoNertH0NCaxrPkTND55gq86Kxt0a5jBnt5DZrmCNRtZ9t8vSRiQbWILoekwL4K cXF9Kw9mo7ksBTYRS6gN6pOyTX10dYTE0RNWeJL7aY/ZXuv6d5tM6cHoAk5lmMOS 10V3f0hFnAnlUKUU5A6z8/v1625ZAcFpGKe/sX5UrztJXYEsfqG9YgJgt7S1b5v4 ZVBRhyU82JKRadQKVXDEZNsCS03Sxs2UCiV1pBq9tMecLUs1G/ZHqAGJObvCCMTq K8n1RtTM/6ulsF3oMp9jMx23H2ZJMw83CbTAF+2EKw==
X-ME-Sender: <xms:8JaeYiVM3_AQBPOXPDGQ3k8c7bui8pmNf4Vofde_4GXdjiFmdplpwg> <xme:8JaeYunFjr1YHwNlx1-8UeAf-DBnI_W3D6zZss8cDonZZT6sadIwCRLwOR7eRNTc3 Ipwso6vN_jeer-xOLQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedruddtgedgfedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeekteeuieektdekleefke evhfekffevvdevgfekgfeluefgvdejjeegffeigedtjeenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvg ht
X-ME-Proxy: <xmx:8JaeYmbyxXP18eGdZMO-jW9nDOG3aY2juIVftFqH2xR6u5ljvlzfFw> <xmx:8JaeYpVF-1EuuuoduXNDH9imSI7BmT7q39RdPAh1yfW38j3Xyupb_g> <xmx:8JaeYslCIEBZbW25FKVRXLGGlJHfRaOB3dNONWF2a8V-leqz7A02HA> <xmx:8JaeYow2vUWVn2-yZHsylmvE8JUGDQPHcLVwe1ND1BKZQl5iPtSocg>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 8A5A42340076; Mon, 6 Jun 2022 20:08:16 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-592-g7095c13f5a-fm-20220603.004-g7095c13f
Mime-Version: 1.0
Message-Id: <53545e69-42e0-4407-b297-71141a6b0cd9@beta.fastmail.com>
In-Reply-To: <CACsn0cnMk=3R8nAwiBhwVrJdf-OtE+E5GKc=ur6jmOxtaNrYaw@mail.gmail.com>
References: <A0601849-2870-4150-9926-5FA706D7F6DE@mit.edu> <CACcvr==K0gjhOaBaxt8vK80UYo1tAHVrh78yCcAEMvwx4tT=ag@mail.gmail.com> <7dff30c8-faac-413f-8387-f0a5a51fc6ff@beta.fastmail.com> <A659F1C6-97D6-48FB-BDED-B885AF93E553@mit.edu> <5f586a5b-4d62-40c8-8fa8-f747d08fd52f@beta.fastmail.com> <CACsn0cnMk=3R8nAwiBhwVrJdf-OtE+E5GKc=ur6jmOxtaNrYaw@mail.gmail.com>
Date: Tue, 07 Jun 2022 10:07:58 +1000
From: Martin Thomson <mt@lowentropy.net>
To: ietf-http-wg@w3.org
Content-Type: text/plain
Received-SPF: pass client-ip=64.147.123.24; envelope-from=mt@lowentropy.net; helo=wout1-smtp.messagingengine.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=lowentropy.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1nyMls-0006tq-Ab 65480a9aae4ba8b210eff91f4fefdea8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Signing Set-Cookie
Archived-At: <https://www.w3.org/mid/53545e69-42e0-4407-b297-71141a6b0cd9@beta.fastmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40076
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Jun 7, 2022, at 08:49, Watson Ladd wrote:
> This would also apply to treating MAC as a Signature wouldn't it?

:)

That is also hard to stomach, though for a different reason and it falls short of being absolutely unacceptable.  Just.  We accept TLS PSK modes on the understanding that there are just two entities and they each know their roles (the latter part thanks to Selfie).  The same *could* apply to a "symmetric signature" scheme here.  It's a giant footgun, but this spec is a collection of footguns of varying size already, so I don't get too excited about there being one more.

v2.23.0 | Report a Bug | By Email