IETF Logo Mail Archive

Re: Formalizing the HTTP State Tokens proposal.

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 02 April 2019 16:53 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63313120172 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 2 Apr 2019 09:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNFyJC6LQ5Es for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 2 Apr 2019 09:53:36 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6662C120169 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 2 Apr 2019 09:53:36 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hBMcu-0005Xf-Jw for ietf-http-wg-dist@listhub.w3.org; Tue, 02 Apr 2019 16:51:08 +0000
Resent-Date: Tue, 02 Apr 2019 16:51:08 +0000
Resent-Message-Id: <E1hBMcu-0005Xf-Jw@frink.w3.org>
Received: from uranus.w3.org ([128.30.52.58]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1hBMct-0005Wi-6X for ietf-http-wg@listhub.w3.org; Tue, 02 Apr 2019 16:51:07 +0000
Received: from www-data by uranus.w3.org with local (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1hBMct-0005cj-0B for ietf-http-wg@listhub.w3.org; Tue, 02 Apr 2019 16:51:07 +0000
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1h9atm-0005BX-Bz for ietf-http-wg@listhub.w3.org; Thu, 28 Mar 2019 19:41:14 +0000
Received: from welho-filter3.welho.com ([83.102.41.25]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1h9atk-0007yf-LW for ietf-http-wg@w3.org; Thu, 28 Mar 2019 19:41:14 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 6353CD075; Thu, 28 Mar 2019 21:40:50 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id pSfQEMiGjOA5; Thu, 28 Mar 2019 21:40:49 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 444EF7A; Thu, 28 Mar 2019 21:40:47 +0200 (EET)
Date: Thu, 28 Mar 2019 21:40:46 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Mike West <mkwst@google.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20190328194046.GA26916@LK-Perkele-VII>
References: <CAKXHy=d3xmsaCGYmnvDQXegMNf1j0gLbpRiLCaT1yr1r=jeueA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAKXHy=d3xmsaCGYmnvDQXegMNf1j0gLbpRiLCaT1yr1r=jeueA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=1.062, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1h9atk-0007yf-LW 6d9eaaa39a01ed36c68b605bf3c3b225
X-caa-id: 5a82bfe709
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Formalizing the HTTP State Tokens proposal.
Archived-At: <https://www.w3.org/mid/20190328194046.GA26916@LK-Perkele-VII>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36498
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Mar 28, 2019 at 11:14:22AM +0100, Mike West wrote:
> Way back in August, 2018, I started a thread [1] on a proposal to introduce
> a client-controlled, origin-bound, HTTPS-only session identifier for
> network-level state management [2].
> 
> I wasn't able to make it to IETF104, but I will be attending the HTTP
> workshop next week. In the hopes of sparking some conversations there, I've
> formalized the proposal as
> https://tools.ietf.org/html/draft-west-http-state-tokens-00, clarifying
> some pieces based on y'all's earlier feedback. I'm looking forward to your
> feedback on, either here on the list, or at the workshop next week.

I see some issues:

- This mechanism looks to lack server opt-in, which runs into issues
  with EU "cookie law". Specifically, it does not seem to be possible
  to use this for any purpose without triggering disclaimer
  requirements. Whereas there are still usecases cookies that do not
  necressarily do so (for example, login).

- The request signing mechansims looks like one that would break if
  there is some CDN or reverse proxy in the path that adds a header
  or a few (sometimes with some non-standard one in the mix). Or is it
  expected that all CDNs or reverse proxies on path for application
  using this mechanism can rewrite the MAC?


-Ilari

v2.23.0 | Report a Bug | By Email