Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
Willy Tarreau <w@1wt.eu> Thu, 18 October 2012 17:11 UTC
Return-Path: <w@1wt.eu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E18E21F86AB for <saag@ietfa.amsl.com>; Thu, 18 Oct 2012 10:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.898
X-Spam-Level:
X-Spam-Status: No, score=-4.898 tagged_above=-999 required=5 tests=[AWL=-2.855, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S93HazXjvHjD for <saag@ietfa.amsl.com>; Thu, 18 Oct 2012 10:11:40 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id 0724621F86A8 for <saag@ietf.org>; Thu, 18 Oct 2012 10:11:39 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id q9IHBTEo011923; Thu, 18 Oct 2012 19:11:29 +0200
Date: Thu, 18 Oct 2012 19:11:29 +0200
From: Willy Tarreau <w@1wt.eu>
To: Barry Leiba <barryleiba@computer.org>
Message-ID: <20121018171129.GO9392@1wt.eu>
References: <CALaySJK5JBo1cbsqcX6hyk0gSkDciZkX3o=o+rg9rgNVqBeRhw@mail.gmail.com> <20121018064805.GI7517@1wt.eu> <CAC4RtVBfZujwVN9NG1YyiCAm0yrV3Ufu+_SXtTJL4ZHC42tN6Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAC4RtVBfZujwVN9NG1YyiCAm0yrV3Ufu+_SXtTJL4ZHC42tN6Q@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
X-Mailman-Approved-At: Mon, 22 Oct 2012 08:25:26 -0700
Cc: saag@ietf.org
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2012 17:11:42 -0000
Hi Barry, On Thu, Oct 18, 2012 at 01:03:02PM -0400, Barry Leiba wrote: > > I just checked the following document and have one main concern : > ... > > Hence, I'm failing to see what specific use case this protocol covers, > > however I see a risk that it is adopted by users who don't completely > > understand its security implications. > > Willy, did you read my note carefully? In particular: > > > Please read RFC 5742, Section 3, and be aware that we are not looking > > for detailed comments on the document itself (see below). We > > specifically need input on whether this document is in conflict with > > work that's being done in the IETF. Look at the five possible > > responses specified in that section, and help us determine whether any > > of 2 through 5 applies. Please be specific in your response. > > Your response is not related to whether this conflicts with existing > IETF work, but is addressing issues in the document. Well, maybe it's a matter of point of view. Adam took great care to rework the cookie spec and achieve RFC6265 with a number of usage recommendations to use cookies in the safest way. Since this draft suggests a usage which seems totally insecure to me, I found it appropriate to raise it as conflicting with the intended use of cookies. Maybe I was wrong, and if so please accept my apologises. Then it's unclear to me what kind of conflict should be raised :-/ > You need to take > these up with the authors and the Independent Stream Editor. Again > from my note: > > > In addition to this, we're sure that the authors and the ISE would > > appreciate comments about the document. If you have those, you may > > send them directly to the authors at > > <draft-secure-cookie-session-protocol@tools.ietf.org> > > and to the ISE at <rfc-ise@rfc-editor.org>. OK I will resend there then. Thanks and sorry for the confusion. Willy
- [saag] Input for conflict review of draft-secure-… Barry Leiba
- Re: [saag] [apps-discuss] Input for conflict revi… Barry Leiba
- Re: [saag] [apps-discuss] Input for conflict revi… Manger, James H
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… SM
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- [saag] Input for conflict review of draft-secure-… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- Re: [saag] Input for conflict review of draft-sec… Hannes Tschofenig
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… =JeffH
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Mark Nottingham
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Mark Nottingham
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba