Re: [OAUTH-WG] MAC: creation-time when a cookie is renewed
Adam Barth <ietf@adambarth.com> Wed, 15 June 2011 07:16 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 553CD21F84B2 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 00:16:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.327
X-Spam-Level:
X-Spam-Status: No, score=-3.327 tagged_above=-999 required=5 tests=[AWL=-0.350, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MsMub3M1bsTJ for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 00:16:07 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 48A5B21F84AE for <oauth@ietf.org>; Wed, 15 Jun 2011 00:16:06 -0700 (PDT)
Received: by yxt33 with SMTP id 33so123790yxt.31 for <oauth@ietf.org>; Wed, 15 Jun 2011 00:16:05 -0700 (PDT)
Received: by 10.236.66.17 with SMTP id g17mr272912yhd.106.1308122165589; Wed, 15 Jun 2011 00:16:05 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by mx.google.com with ESMTPS id 1sm84033yhs.81.2011.06.15.00.16.04 (version=SSLv3 cipher=OTHER); Wed, 15 Jun 2011 00:16:04 -0700 (PDT)
Received: by gxk19 with SMTP id 19so102551gxk.31 for <oauth@ietf.org>; Wed, 15 Jun 2011 00:16:04 -0700 (PDT)
Received: by 10.90.197.15 with SMTP id u15mr405595agf.148.1308122164090; Wed, 15 Jun 2011 00:16:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.65.13 with HTTP; Wed, 15 Jun 2011 00:15:34 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11286961435@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11286961435@WSMSG3153V.srv.dir.telstra.com>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 15 Jun 2011 00:15:34 -0700
Message-ID: <BANLkTimOwbef+38An2CUVWt92-4VKgVATg@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC: creation-time when a cookie is renewed
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 07:16:08 -0000
These problems all seem sovled with the new definition of age to not be necessarily related to time. Adam On Wed, Jun 15, 2011 at 12:07 AM, Manger, James H <James.H.Manger@team.telstra.com> wrote: > The MAC scheme’s cookie mode [draft-ietf-oauth-v2-http-mac-00, section 6] > says the cookie’s creation-time is used to determine the age that goes in > the nonce in a request. The creation-time is the time the client receives > the Set-Cookie response – unless the client already has a cookie with the > same name, domain, and path, in which case the creation-time of the existing > cookie is kept [rfc6265 HTTP state management mechanism, section 5.3, step > 11.3]. > > Is this going to cause complications in practice? > > A server will need to know if a client has an existing cookie before issuing > a new one. That should be possible as the old cookie will be included in the > request whose response contains the Set-Cookie header for the new cookie. > > There are some corner cases, such as an old cookie that expires after being > sent to the server, but before the new cookie is returned. Perhaps they are > rare enough to ignore. > > If a server crashes then reboots (loosing in-memory details about old > cookies) it cannot just issue new cookies. First it needs to issue an > expired cookie to clear the client’s cookie store (deleting the old cookie > that has a creation-time that the server no longer knows), then issue a new > cookie with a known creation-time. That sounds painful (ie will not be > implemented initially, but will eventually cause a nasty outage). > > > > It might encourage people to tack the creation-time into the cookie-value. > Do that without integrity protection, however, and you are open to replay > attacks. > > > > -- > > James Manger > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] MAC: creation-time when a cookie is re… Manger, James H
- Re: [OAUTH-WG] MAC: creation-time when a cookie i… Adam Barth