Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

[Willy Tarreau <w@1wt.eu>]

Hi Barry,

On Thu, Oct 18, 2012 at 01:03:02PM -0400, Barry Leiba wrote:
> > I just checked the following document and have one main concern :
> ...
> > Hence, I'm failing to see what specific use case this protocol covers,
> > however I see a risk that it is adopted by users who don't completely
> > understand its security implications.
> 
> Willy, did you read my note carefully?  In particular:
> 
> > Please read RFC 5742, Section 3, and be aware that we are not looking
> > for detailed comments on the document itself (see below).  We
> > specifically need input on whether this document is in conflict with
> > work that's being done in the IETF.  Look at the five possible
> > responses specified in that section, and help us determine whether any
> > of 2 through 5 applies.  Please be specific in your response.
> 
> Your response is not related to whether this conflicts with existing
> IETF work, but is addressing issues in the document.

Well, maybe it's a matter of point of view. Adam took great care to
rework the cookie spec and achieve RFC6265 with a number of usage
recommendations to use cookies in the safest way. Since this draft
suggests a usage which seems totally insecure to me, I found it
appropriate to raise it as conflicting with the intended use of
cookies. Maybe I was wrong, and if so please accept my apologises.
Then it's unclear to me what kind of conflict should be raised :-/

>  You need to take
> these up with the authors and the Independent Stream Editor.  Again
> from my note:
> 
> > In addition to this, we're sure that the authors and the ISE would
> > appreciate comments about the document.  If you have those, you may
> > send them directly to the authors at
> > <draft-secure-cookie-session-protocol@tools.ietf.org>
> > and to the ISE at <rfc-ise@rfc-editor.org>.

OK I will resend there then.
Thanks and sorry for the confusion.

Willy