Re: Secdir telechat review of draft-ietf-httpbis-rfc6265bis-19
Steven Bingler <bingler@chromium.org> Mon, 25 August 2025 21:28 UTC
Received: by mail2.ietf.org (Postfix) id 5D16458D4340; Mon, 25 Aug 2025 14:28:21 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5BDB958D433F for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Mon, 25 Aug 2025 14:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -5.385
X-Spam-Level:
X-Spam-Status: No, score=-5.385 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.017, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="Tqt3YKNO"; dkim=pass (2048-bit key) header.d=w3.org header.b="btQRRgGH"; dkim=pass (1024-bit key) header.d=chromium.org header.b="T08Pqjie"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZDyPCb_-YRq for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Mon, 25 Aug 2025 14:28:20 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D148058D4339 for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 25 Aug 2025 14:28:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:To:Message-ID:Date:From:MIME-Version:Cc:Reply-To :In-Reply-To:References; bh=F55yrK21Cj42Tprks3zkv4gj1GMjLZyV+22W/yZwStI=; b=T qt3YKNOvYC+ZyJYRFzrjwYoHvjG5JNGvC7ZpxIbzzOTFNxXXbegXzE9hpUcP5vprmSNeWDl/B4OCo +D7nvQDSroESFapSjWHfMkdZvVpeJqNUOmIi3AO5rgod3v4mFoLL7LgXBAhZS+7SxGTOmOzyHWQ9i IrAJsOVnXS+UhZnf/AgLkx1RdGofEVG6HS7KrjcxWVPUBnwsUimV3BbDS+ZnkkZcrxCwPK8yuqvji 1umoypEYwRyLcFtB/eiVXj/TCJVikVUe8y8fafMTD/B18kdsKUGiaH43Z1pzIqPhwoHDiFY4npiKk /0MQUVs3UAsrSFSf5ktvqL9Jixs0Bc2Dg==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1uqein-00DoTi-2R for ietf-http-wg-dist@listhub.w3.org; Mon, 25 Aug 2025 21:27:21 +0000
Resent-Date: Mon, 25 Aug 2025 21:27:21 +0000
Resent-Message-Id: <E1uqein-00DoTi-2R@mab.w3.org>
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <bingler@chromium.org>) id 1uqeik-00DoSe-2w for ietf-http-wg@listhub.w3.internal; Mon, 25 Aug 2025 21:27:18 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:To:Subject:Message-ID:Date:From:MIME-Version:Cc:Reply-To :In-Reply-To:References; bh=F55yrK21Cj42Tprks3zkv4gj1GMjLZyV+22W/yZwStI=; t=1756157238; x=1757021238; b=btQRRgGH46BxSyvrGFLuAyqp6rotmIEMu7pPghxXy0BMPcb rgTC1qEZJCdwvI+j2r38G4PsF31X2QeENvrnOoPehkSI61nunGEi3RwPr49TGjXGRLXuqUw86Mizq 52Hgpyix/Bq9ATiSLGyA6V52ifCFwMn1L3Th4yuRICeKgA1Nts3XoqVjJ9qsmV8G+X1KxgMpICqEC lVwW+qMvr1/Pm/hn0yaf+WVR1v0P7vGDaxBhrqW2RXAwyJuepQiHKpWD0acxpHd6CvOYrPsj3hPAW CASmnxieDvqQ28wdoHeKmK1gCTAR1Pe4lWAmG4GXDQ3Rfmp5acGOwlQkjREn1RPA==;
Received-SPF: pass (puck.w3.org: domain of chromium.org designates 2607:f8b0:4864:20::72c as permitted sender) client-ip=2607:f8b0:4864:20::72c; envelope-from=bingler@chromium.org; helo=mail-qk1-x72c.google.com;
Received: from mail-qk1-x72c.google.com ([2607:f8b0:4864:20::72c]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <bingler@chromium.org>) id 1uqeik-0032Wq-0V for ietf-http-wg@w3.org; Mon, 25 Aug 2025 21:27:18 +0000
Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-7e87061d120so487280585a.2 for <ietf-http-wg@w3.org>; Mon, 25 Aug 2025 14:27:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1756157234; x=1756762034; darn=w3.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=F55yrK21Cj42Tprks3zkv4gj1GMjLZyV+22W/yZwStI=; b=T08PqjieObr9iJb/cmVAAoqFlLEj7Ui5oFKzkZ/oRWaoErzKhbiwdBJHJ3LdVyjFBc x/D3ZpI3GcdBGv3BAiXe8IpbQb5ft93mStn/cufsTIo1TCR5IcT+Fheok5B0+FzYr4pk ter9FatSwIL1+3CRRAqNvwckOtrBP+vPskGfM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756157234; x=1756762034; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=F55yrK21Cj42Tprks3zkv4gj1GMjLZyV+22W/yZwStI=; b=JhCUMt72YkgK3/ugUhZTaSGIrBIWQ0jQ/jiW+4qiTQ/shOkD2RcZ5xCLIDiZC/Uqcd b31OJEViMm3RP9e3VbAgE/XMPezWkJHgAdBv3k7TsHoGEmhKMjZLob0w6Bma/M9fk935 ukIpnnyWU8ELG2e4DmOsicX3FeNxte3f2i6473AjD5eUrOfE5j2uEu1UWnVhksyUf0iQ Qq1sgoW380mRzF/RWKz4FuFlqKjanHFwQ2G4A37/rMlWVsj4jF2Js0GgSFc37CeLziQl WCDQH+iG1w1enA1S+PYaAs+2rW+tWpyh7E0goYjbGxRX5yz48qlvEjRIlxNjZkPUVXR5 XGPA==
X-Gm-Message-State: AOJu0YyWHNWo0IJXMV4OLCsCqghjVlHz81gdmwbbSZsMVUrNNRQXIKKN jRACgojloxK09FroULHZ+Hzp+ABE6BbqAgmP6MtJC/o0LfTTF7++/0gfCSjQtm49PbYhtPWnaf2 2wUKmDCL08EpJyYJSYZ13Qi/0khieQzyuIiwSNB9+0if12ZChRLjWbg==
X-Gm-Gg: ASbGncuk7Jv8JmYaqOwqAookyBNKvEcIF1BttwlVhaA8zB3tPVkcYUBm8/9bGyorsvV HJ+N76CeZwe/C6BOlkmwHg3/ksh3T/VLZCWOJyD935RpQwfrP9lPBeuBpXvhsTV98ugHmDEFy84 D4FDQ7YOtMWlHtmIVuXENmbivzNng0Omoo4QrDFBVUP/vlSJJq3wl9wkDJPXtiziAXK70vU77/k G6q0zvc
X-Google-Smtp-Source: AGHT+IGmKDuerfCghEPlvkq5GYfEXASY+cgeNTvMipwij1o5hMEBGVsynRZHtqNwWMFc3d4Me2GqDYentEiR+gIPa9w=
X-Received: by 2002:a05:620a:3706:b0:7ee:8078:744d with SMTP id af79cd13be357-7ee8096fc17mr867225185a.59.1756157234191; Mon, 25 Aug 2025 14:27:14 -0700 (PDT)
MIME-Version: 1.0
From: Steven Bingler <bingler@chromium.org>
Date: Mon, 25 Aug 2025 17:27:03 -0400
X-Gm-Features: Ac12FXwhYNLOGyOM3urThpiimHlTCCc1mlm2a7okldZAqHIyogRbKPVKeg0i9_4
Message-ID: <CAKvzGWfcKUU_idh0QhHktkvzuOa1En3aMQoJ9XtaFXNE5xkzJg@mail.gmail.com>
To: ietf-http-wg@w3.org
Content-Type: text/plain; charset="UTF-8"
X-W3C-Hub-DKIM-Status: validation passed: (address=bingler@chromium.org domain=chromium.org), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1uqeik-0032Wq-0V edb320865f81799cae38e0e1806231c4
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Secdir telechat review of draft-ietf-httpbis-rfc6265bis-19
Archived-At: <https://www.w3.org/mid/CAKvzGWfcKUU_idh0QhHktkvzuOa1En3aMQoJ9XtaFXNE5xkzJg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/53282
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hello Valery and Secdir, Thank you for the review and my apologies for the late reply. I had to take a hiatus. Find my responses to your issues below. The changes I've made have not yet been published as a draft but are available to view on the github repo. https://github.com/httpwg/http-extensions/blob/main/draft-ietf-httpbis-rfc6265bis.md > 1. Please, make it more clear that the restrictions on the cookie use, that the > server imposes via attributes, are not guaranteed to be honored even by a > honest user agent. For example, if the clocks on the server and on the client > are out of sync, then the user agent may innocently try to use cookie beyond > its lifetime. Thus, the imposed restrictions for the received cookies MUST be > checked by the server. I've expanded "The Expire Attribute"'s text to warn of this behavior. Assuming I'm understanding your comment correctly I don't believe any other attributes can similarly "ignore" their restrictions so long as the UA is honest. > 2. Section 8.1 states that "by default, cookies do not provide confidentiality > or integrity from network attackers, even when used in conjunction with HTTPS".... I tweaked the text a bit to acknowledge that HTTPS does offer benefits. > 3. Section 8.3 lists security risks when cookies are sent in clear and clause 3 > states: "A malicious client could alter the Cookie header before transmission, > with unpredictable results". I failed to understand how this is concerned with > the use of TLS. In my understanding, malicious clients can do this in any case, > regardless on whether TLS is used or not. Am I missing something? Agreed that the third point is unclear. I've removed it. > 4. Section 7.1, last para states that "it is RECOMMENDED that user agents adopt > a policy for third-party cookies that is as restrictive as compatibility > constraints permit". This gives no concrete recommendations, and no examples, > thus making this requirement vague and subjective. I think this requirement > should be provided with more details how to deal with it. This is difficult to do given the range of compatibility constraints among user agents. Some agents could strive for maximum compatibility while others for maximum user privacy. The third-party cookie policies will differ greatly between those two types of UAs. Upcoming cookie changes, such as CHIPS, would make this reasonable feedback for https://www.ietf.org/archive/id/draft-ietf-httpbis-layered-cookies-00.html#name-third-party-cookies > Just out of curiosity - the draft adds a requirement that cookie SHOULD NOT be > greater than 400 days. I wonder why this particular margin was chosen. Why not > 365 days (a year) - it looks like a natural equivalet to "very long, but not > infinite"? 400 days was chosen to allow for cookies that exist for yearly events (Tax return services for example) with some added padding in case the user visited a little later. Plus to get a nice round number. - Steven
- Secdir telechat review of draft-ietf-httpbis-rfc6… Valery Smyslov via Datatracker
- Re: Secdir telechat review of draft-ietf-httpbis-… Steven Bingler
- RE: [secdir] Secdir telechat review of draft-ietf… Valery Smyslov
- Re: [secdir] Secdir telechat review of draft-ietf… Steven Bingler
- RE: [secdir] Secdir telechat review of draft-ietf… Valery Smyslov
- Re: [secdir] Secdir telechat review of draft-ietf… Steven Bingler
- RE: [secdir] Secdir telechat review of draft-ietf… Valery Smyslov