Re: [saag] [apps-discuss] Input for conflict review of draft-secure-cookie-session-protocol

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 18 October 2012 05:08 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF9621F85B1 for <saag@ietfa.amsl.com>; Wed, 17 Oct 2012 22:08:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.872
X-Spam-Level:
X-Spam-Status: No, score=-0.872 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MITZMCYfnBn for <saag@ietfa.amsl.com>; Wed, 17 Oct 2012 22:08:28 -0700 (PDT)
Received: from ipxano.tcif.telstra.com.au (ipxano.tcif.telstra.com.au [203.35.82.200]) by ietfa.amsl.com (Postfix) with ESMTP id 354A821F8599 for <saag@ietf.org>; Wed, 17 Oct 2012 22:08:26 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.80,605,1344175200"; d="scan'208";a="104324485"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipoani.tcif.telstra.com.au with ESMTP; 18 Oct 2012 16:08:24 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6868"; a="43296317"
Received: from wsmsg3704.srv.dir.telstra.com ([172.49.40.197]) by ipcani.tcif.telstra.com.au with ESMTP; 18 Oct 2012 16:08:24 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3704.srv.dir.telstra.com ([172.49.40.197]) with mapi; Thu, 18 Oct 2012 16:08:23 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "saag@ietf.org" <saag@ietf.org>, Barry Leiba <barryleiba@computer.org>
Date: Thu, 18 Oct 2012 16:08:22 +1100
Thread-Topic: [apps-discuss] Input for conflict review of draft-secure-cookie-session-protocol
Thread-Index: Ac2s19rcyLmes8slSgS2DAE46H2uPQAEq41A
Message-ID: <255B9BB34FB7D647A506DC292726F6E114FDE435E7@WSMSG3153V.srv.dir.telstra.com>
References: <CALaySJK5JBo1cbsqcX6hyk0gSkDciZkX3o=o+rg9rgNVqBeRhw@mail.gmail.com>
In-Reply-To: <CALaySJK5JBo1cbsqcX6hyk0gSkDciZkX3o=o+rg9rgNVqBeRhw@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Mailman-Approved-At: Thu, 18 Oct 2012 08:03:40 -0700
Subject: Re: [saag] [apps-discuss] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2012 05:08:29 -0000

Barry,

draft-secure-cookie-session-protocol-08 is fairly close to the IETF JOSE working group’s JSON Web Encryption (JWE) format [draft-ietf-jose-json-web-encryption].

jose@ietf.org was one group NOT included in your email asking for conflict review.


draft-secure-cookie-session-protocol-08:
* a smallish text string with confidentiality and integrity protection; as does JWE
* symmetric key; which is one JWE option
* arbitrary binary content; same as JWE
* uses base64url encoding; same as JWE
* uses "|" as a separator; JWE uses "."
* deflate compression; same as JWE
* includes the time; signing-time field has been proposed for JWE
* single id indicates keys and algorithms; JWE has separate alg id, and (broken) key id
* 

As to whether draft-secure-cookie-session-protocol-08 “could potentially disrupt the IETF work done in WG” JOSE… uhmm. Probably not.



--
James Manger


> -----Original Message-----
> From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-
> bounces@ietf.org] On Behalf Of Barry Leiba
> Sent: Thursday, 18 October 2012 1:25 PM
> To: http-state@ietf.org; websec@ietf.org; ietf-http-wg@w3.org; apps-
> discuss@ietf.org; oauth@ietf.org
> Subject: [apps-discuss] Input for conflict review of draft-secure-
> cookie-session-protocol
> 
> A document titled "Secure Cookie Sessions for HTTP" has been submitted
> to the Independent Stream Editor (ISE):
> http://datatracker.ietf.org/doc/draft-secure-cookie-session-protocol/
> 
> The IESG has been asked to review the document, as specified in RFC
> 5742, Section 3.  The Security and Applications Area Directors are
> looking for input for that review.  Please post any relevant comments
> to the Security Area list, <saag@ietf.org>rg>, as soon as possible, and at
> least by 1 November 2012.
> 
> Note: Please do NOT post responses to any of these mailing lists.
> Respond only to <saag@ietf.org> (using the subject line of this
> message).
> 
> Please read RFC 5742, Section 3, and be aware that we are not looking
> for detailed comments on the document itself (see below).  We
> specifically need input on whether this document is in conflict with
> work that's being done in the IETF.  Look at the five possible
> responses specified in that section, and help us determine whether any
> of 2 through 5 applies.  Please be specific in your response.
> 
> In addition to this, we're sure that the authors and the ISE would
> appreciate comments about the document.  If you have those, you may
> send them directly to the authors at <draft-secure-cookie-session-
> protocol@tools.ietf.org>
> and to the ISE at <rfc-ise@rfc-editor.org>rg>.
> General discussion of the document on these lists or the saag list will
> likely not get to the authors or the ISE.
> 
> Barry Leiba, Applications AD
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss