Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Barry Leiba <> Fri, 09 November 2012 13:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 417E421F8680 for <>; Fri, 9 Nov 2012 05:41:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KupmzuPq9Aqc for <>; Fri, 9 Nov 2012 05:41:32 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9FA4321F8621 for <>; Fri, 9 Nov 2012 05:41:31 -0800 (PST)
Received: by with SMTP id b11so3261587lam.31 for <>; Fri, 09 Nov 2012 05:41:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=7rFiIiL2f4rtE2q6Fl/BNPc7XbklZ5YMUXlQiHvpfBI=; b=PpxBWx+h9F/PMtrDgk3EFFfHnG7lUIq8vw4MyoOvioioiK6tg27DrwSnGCHjhhVaiL NeiV71Zr3KfujUFTjstuMaJpxAp8VHoXR72UfC6mdy0/p1kJ2AzefTGsJ7uAZKdiQedP 7cGHWIcKaDeXl8Gg9eIz1y1/Ct6FyhRNzAyqhu+7bmq2vRjnYYUVUIVns4fCBBheSStF CGOo6mIXkCzZkmJ5p62fl3QjP2EsSvBlmbSrTmmL+WZ7m7e0yR8xOnPUmk9TUEsgHCUz 6teYuX0MBBuLn6oQPkXJmm8ON46cVPmkMU2dDPfFIeEaEL3bS20IquiGxAjNdwRu3uRC iXJA==
MIME-Version: 1.0
Received: by with SMTP id gj1mr10638019lab.49.1352468490554; Fri, 09 Nov 2012 05:41:30 -0800 (PST)
Received: by with HTTP; Fri, 9 Nov 2012 05:41:30 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Fri, 09 Nov 2012 08:41:30 -0500
X-Google-Sender-Auth: xCLazMsPLOP50Tz5D9-6awz-Lvs
Message-ID: <>
From: Barry Leiba <>
To: saag <>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Nov 2012 13:41:36 -0000

I floated this about two weeks ago, and there've been no responses.
This tells me that there is *not* interest in taking this document on
in a working group, whether it be a revived httpstate WG, or the
existing websec group, or whatever.  It is on next week's telechat (15
Nov) for the IESG to decide how to respond to the Independent Stream
Editor about the document.

Unless we're convinced otherwise, I plan to propose the following for
IESG approval:

1. The 5742 response is, "The IESG has concluded that this work is
related to IETF work done in the websec and httpbis working groups,
but this relationship does not prevent publishing."

2. The authors are asked to please add the company name to the title
and introduction, to make it clear that this is their company's
proposal, presented for the community's information.


> All that said, here's what I think, as the AD who's shepherding this
> through the conflict review:
> 1. It's probably acceptable to do this through the ISE -- that is,
> this probably does not *conflict* with IETF work.
> 2. It's probably better to do this through the IETF Stream -- it will
> get better review and be a more solid document that way.
> 3. The authors are happy to do it that way; I've talked with them about it.
> 4. We could charter a new "son of httpstate" working group for this,
> we could fit it into an existing working group (httpbis or appsawg,
> likely), or we could do it as an AD-sponsored document (I would be
> happy to sponsor it, and I suspect Stephen would also).  If we did
> that, it would go as Proposed Standard   ... or we could let it
> continue through the Independent Stream, as Informational.
> Thoughts?