Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Willy Tarreau <w@1wt.eu> Thu, 18 October 2012 17:11 UTC

Return-Path: <w@1wt.eu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E18E21F86AB for <saag@ietfa.amsl.com>; Thu, 18 Oct 2012 10:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.898
X-Spam-Level:
X-Spam-Status: No, score=-4.898 tagged_above=-999 required=5 tests=[AWL=-2.855, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S93HazXjvHjD for <saag@ietfa.amsl.com>; Thu, 18 Oct 2012 10:11:40 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id 0724621F86A8 for <saag@ietf.org>; Thu, 18 Oct 2012 10:11:39 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id q9IHBTEo011923; Thu, 18 Oct 2012 19:11:29 +0200
Date: Thu, 18 Oct 2012 19:11:29 +0200
From: Willy Tarreau <w@1wt.eu>
To: Barry Leiba <barryleiba@computer.org>
Message-ID: <20121018171129.GO9392@1wt.eu>
References: <CALaySJK5JBo1cbsqcX6hyk0gSkDciZkX3o=o+rg9rgNVqBeRhw@mail.gmail.com> <20121018064805.GI7517@1wt.eu> <CAC4RtVBfZujwVN9NG1YyiCAm0yrV3Ufu+_SXtTJL4ZHC42tN6Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAC4RtVBfZujwVN9NG1YyiCAm0yrV3Ufu+_SXtTJL4ZHC42tN6Q@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
X-Mailman-Approved-At: Mon, 22 Oct 2012 08:25:26 -0700
Cc: saag@ietf.org
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2012 17:11:42 -0000

Hi Barry,

On Thu, Oct 18, 2012 at 01:03:02PM -0400, Barry Leiba wrote:
> > I just checked the following document and have one main concern :
> ...
> > Hence, I'm failing to see what specific use case this protocol covers,
> > however I see a risk that it is adopted by users who don't completely
> > understand its security implications.
> 
> Willy, did you read my note carefully?  In particular:
> 
> > Please read RFC 5742, Section 3, and be aware that we are not looking
> > for detailed comments on the document itself (see below).  We
> > specifically need input on whether this document is in conflict with
> > work that's being done in the IETF.  Look at the five possible
> > responses specified in that section, and help us determine whether any
> > of 2 through 5 applies.  Please be specific in your response.
> 
> Your response is not related to whether this conflicts with existing
> IETF work, but is addressing issues in the document.

Well, maybe it's a matter of point of view. Adam took great care to
rework the cookie spec and achieve RFC6265 with a number of usage
recommendations to use cookies in the safest way. Since this draft
suggests a usage which seems totally insecure to me, I found it
appropriate to raise it as conflicting with the intended use of
cookies. Maybe I was wrong, and if so please accept my apologises.
Then it's unclear to me what kind of conflict should be raised :-/

>  You need to take
> these up with the authors and the Independent Stream Editor.  Again
> from my note:
> 
> > In addition to this, we're sure that the authors and the ISE would
> > appreciate comments about the document.  If you have those, you may
> > send them directly to the authors at
> > <draft-secure-cookie-session-protocol@tools.ietf.org>
> > and to the ISE at <rfc-ise@rfc-editor.org>rg>.

OK I will resend there then.
Thanks and sorry for the confusion.

Willy