Re: Stateful compression of cookies (Re: Delta Compression and UTF-8 Header Values)
Nico Williams <nico@cryptonector.com> Mon, 11 February 2013 16:38 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD62E21F88E1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 11 Feb 2013 08:38:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.908
X-Spam-Level:
X-Spam-Status: No, score=-7.908 tagged_above=-999 required=5 tests=[AWL=1.917, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8, SARE_SUB_ENC_UTF8=0.152]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zfL7jTCQH40i for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 11 Feb 2013 08:38:43 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 116C521F8915 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 11 Feb 2013 08:38:43 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1U4wNq-0005gC-6C for ietf-http-wg-dist@listhub.w3.org; Mon, 11 Feb 2013 16:37:34 +0000
Resent-Date: Mon, 11 Feb 2013 16:37:34 +0000
Resent-Message-Id: <E1U4wNq-0005gC-6C@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1U4wNi-0005f6-Nr for ietf-http-wg@listhub.w3.org; Mon, 11 Feb 2013 16:37:26 +0000
Received: from caiajhbdcbbj.dreamhost.com ([208.97.132.119] helo=homiemail-a73.g.dreamhost.com) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1U4wNh-0001Pk-AM for ietf-http-wg@w3.org; Mon, 11 Feb 2013 16:37:26 +0000
Received: from homiemail-a73.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTP id 430101F008E for <ietf-http-wg@w3.org>; Mon, 11 Feb 2013 08:37:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=hh7Pxo373k7DXhPp47ma ltw2Gw4=; b=KAIKPOg2pjkKPCsj2xxE2Ajn2atkK5klhL3gQ+yi1fu2u4zYvG78 jBVI7dXD9vfiGR1Nh4jTReVIXyHfIonW/yjTlT2uGT8i2/SP4TZ+0C74nWGNuWYm e5yC2ZsOm7lE4bJVz3g7qLroFyquDPZhaXEphxULw2TQ4kdgSkGtE6w=
Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTPSA id BA7EF1F0083 for <ietf-http-wg@w3.org>; Mon, 11 Feb 2013 08:37:02 -0800 (PST)
Received: by mail-wg0-f48.google.com with SMTP id 16so4790840wgi.3 for <ietf-http-wg@w3.org>; Mon, 11 Feb 2013 08:36:53 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.180.99.227 with SMTP id et3mr17384707wib.6.1360600613122; Mon, 11 Feb 2013 08:36:53 -0800 (PST)
Received: by 10.217.39.133 with HTTP; Mon, 11 Feb 2013 08:36:53 -0800 (PST)
In-Reply-To: <CAMm+Lwjtvng7XdTWm5EQwRgsEMbp9itsoN=m9PnSYu5ry7TF1A@mail.gmail.com>
References: <CAK3OfOieNOsN7=2TV_25nTr+7Y3a-fyjSGV+F7HdbEQT8cB9xg@mail.gmail.com> <85697.1360567222@critter.freebsd.dk> <CAK3OfOhGoQ0HtMu4HRo5kne1fgwDkzU6AHceCUTPHEXXW5HypQ@mail.gmail.com> <CAMm+Lwjtvng7XdTWm5EQwRgsEMbp9itsoN=m9PnSYu5ry7TF1A@mail.gmail.com>
Date: Mon, 11 Feb 2013 10:36:53 -0600
Message-ID: <CAK3OfOjZ+u_ieZtSrBMSwsCx3ngOj7V=sHbfV-nW+zKSEwJCmg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Zhong Yu <zhong.j.yu@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: none client-ip=208.97.132.119; envelope-from=nico@cryptonector.com; helo=homiemail-a73.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.448, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: lisa.w3.org 1U4wNh-0001Pk-AM 46af205597c52a7049e3295277097aae
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Stateful compression of cookies (Re: Delta Compression and UTF-8 Header Values)
Archived-At: <http://www.w3.org/mid/CAK3OfOjZ+u_ieZtSrBMSwsCx3ngOj7V=sHbfV-nW+zKSEwJCmg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16561
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Mon, Feb 11, 2013 at 10:05 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote: > On Mon, Feb 11, 2013 at 10:24 AM, Nico Williams <nico@cryptonector.com> > wrote: >> (Also, a note about small session IDs: they can't be so small as to be >> guessable. 32-bit session IDs would be a disaster. I think I'd not >> feel comfortable with session IDs smaller than 96-bits.) > > > Please, lets not repeat the mistake of doing bearer tokens. Heh, well, you know that I'm with you on this, as we both have I-Ds that involve the use of MACs to authenticate access to sessions on each request. > I would very much like to separate out authentication tokens from state > tokens so that we can get some sanity. But the replacement for the use of a > session cookie for authentication should be a proof of knowledge of the > shared secret rather than presentation of the shared secret itself. Right. > Doing this would render the various BEAST and CRIME attacks ineffective > along with most cookie stealing as the confidential data would only go > across the wire in plaintext at most once. Although BEAST/CRIME are not the only reasons to want this. > So the communication pattern might be: But we still need a) a session ID, and/or b) server-side state stored as encrypted cookies (in the generic sense, not "web cookies") on the client side. Nico --
- Stateful compression of cookies (Re: Delta Compre… Nico Williams
- Re: Stateful compression of cookies (Re: Delta Co… Poul-Henning Kamp
- Re: Stateful compression of cookies (Re: Delta Co… Roberto Peon
- Re: Stateful compression of cookies (Re: Delta Co… Nico Williams
- Re: Stateful compression of cookies (Re: Delta Co… Nico Williams
- Re: Stateful compression of cookies (Re: Delta Co… Phillip Hallam-Baker
- Re: Stateful compression of cookies (Re: Delta Co… Poul-Henning Kamp
- Re: Stateful compression of cookies (Re: Delta Co… Nico Williams
- Re: Stateful compression of cookies (Re: Delta Co… Nico Williams
- Re: Stateful compression of cookies (Re: Delta Co… Phillip Hallam-Baker
- Re: Stateful compression of cookies (Re: Delta Co… Poul-Henning Kamp
- Re: Stateful compression of cookies (Re: Delta Co… Nico Williams