Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
Tobias Gondrom <tobias.gondrom@gondrom.org> Sat, 20 October 2012 09:29 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15AC321F8532 for <saag@ietfa.amsl.com>; Sat, 20 Oct 2012 02:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIvWaZueocRo for <saag@ietfa.amsl.com>; Sat, 20 Oct 2012 02:29:05 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id D6DEE21F850B for <saag@ietf.org>; Sat, 20 Oct 2012 02:29:04 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=tQzk4hHZSBd5ZMMH36MFPjw7gi1QgHhMPT/vRvUX/oWxm1BejeLqjFGzvdwt6EmAY5Pcc2l+aGG+ILrDNDU/fEOI7zhWbwZ2SYrbE7qSzM7KwgOD6zUEqkB1x1NZp2JG; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 9507 invoked from network); 20 Oct 2012 11:29:02 +0200
Received: from 188-223-113-88.zone14.bethere.co.uk (HELO ?192.168.1.65?) (188.223.113.88) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 20 Oct 2012 11:29:02 +0200
Message-ID: <50826EDE.6000509@gondrom.org>
Date: Sat, 20 Oct 2012 10:29:02 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: tho@koanlogic.com
References: <CAByMhx90Nk+hsw3PUqunP022av1wSYf0OXxKi6Z1U=-zOe5RzQ@mail.gmail.com> <CAByMhx_82B6ApLjOnj3v6BYU90opPs9MR7U-BLpbg91-FnPQAg@mail.gmail.com>
In-Reply-To: <CAByMhx_82B6ApLjOnj3v6BYU90opPs9MR7U-BLpbg91-FnPQAg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: saag@ietf.org
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Oct 2012 09:29:06 -0000
Hi Thomas, thank you for providing the background about this. Obviously I didn't know about the IRTF CFRG, as I did not attend that IRTF group meeting at the time. And I can imagine it can be quite frustrating for you having to explain the history and your draft again and again to the different audiences and groups over the years. ;-) Maybe some thoughts on why I think this would benefit from IETF review: I can see the underlying idea and understand the potential use case of storing state on the client in an encrypted container. However, I see quite a few potential issues that could arise with this draft. I am not saying "don't do it", all I am saying is that I really think this deserves IETF review (either in saag, or even better an IETF WG (not IRTF). Just as an example: already the very first sentence in the introduction some assumptions are half-true/half-false (like e.g. that cookies would be "... un-authenticated and sent in clear text." In many applications (though not all of them) cookies are in fact transmitted over HTTPS and in an authenticated session and not in clear-text...) A number of questions with this drafts make me suggest that IETF review is a good thing (including the question whether IETF wants to do this at all): - is the underlying use case valid for the draft? I am not sure of that. - the text of the draft would hint towards status as Experimental, not as Informational? Why Informational? - Is there the vision of interoperability between different implementations for this? Please note, that I don't deny at all, that there is a security considerations section - and in the case of this draft, I actually like that it is quite detailed on security implications compared to some other drafts I've reviewed in the past years, but I would question whether in fact suggesting to store server state only in a client is a good idea at all, as it opens quite a number of security problems. All this leads me to the recommendation to apply IETF review for this draft to avoid trouble. However, this is only IMHO, for you, saag and the ADs to consider. And I have the highest regard for Jim and our other reviewers. So consider this just as my 5cents and I will hand over to others on saag (including Jim) to comment and decide on whether we should give this more IETF review or not... Best regards, Tobias On 19/10/12 15:32, Thomas Fossati wrote: > Hi Tobias, > >>> - Should this be handled by an existing working group? Which one? >> Yes. > A little bit of context, to hopefully give everyone the reasons why > and how we are here. > > SCS was presented for the first time (to get expert review/feedback) > to IRTF CFRG in September 2006: > > http://www.ietf.org/mail-archive/web/cfrg/current/msg01307.html > > Then after a long pause, I brought it to the IETF (http-state WG) in > February 2011: > > http://www.ietf.org/mail-archive/web/http-state/current/msg01227.html > > where I've tried to propose it as a working group item, with no avail. > (Please note that this pre-dates JOSE BoF which was held in March 2011 IIRC.) > > So, the natural outcome was to go through ISE, which I've done in December 2011. > > > In these years, in different occasions it has received extensive > review by a couple of well known and respected security guys -- David > Wagner and Jim Schaad. > > The whole shebang is nothing new, just a simple bearer token format > which is suitable for use in HTTP (in cookies and URIs, or any other > HTTP header value). With the added value that it can be traced back > to a provably secure authenticated encryption scheme. > > I've taken the trouble to publish as I though it could provide a solid > and reusable building block for developers, that, as a bonus, are also > given a reference open-source implementation. > > The Security Consideration has plenty of material about the possible > risks and related countermeasures / mitigations. If there's something > that really needs to be said and it's not already there, please state > it precisely and I'll do the needed editing. > > I like to hear solid technical comments, I really like it, and I'm > totally open to modify the I-D as long as the proposed modifications > makes it a better document. This is the sole purpose of going through > the IETF process, after all. > > Thanks, Thomas. > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [saag] Input for conflict review of draft-secure-… Barry Leiba
- Re: [saag] [apps-discuss] Input for conflict revi… Barry Leiba
- Re: [saag] [apps-discuss] Input for conflict revi… Manger, James H
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… SM
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- [saag] Input for conflict review of draft-secure-… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- Re: [saag] Input for conflict review of draft-sec… Hannes Tschofenig
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… =JeffH
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Mark Nottingham
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Mark Nottingham
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba