Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Tobias Gondrom <> Thu, 18 October 2012 20:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5741521F8434 for <>; Thu, 18 Oct 2012 13:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XfasivJr2a5t for <>; Thu, 18 Oct 2012 13:37:36 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2C39821F84F0 for <>; Thu, 18 Oct 2012 13:37:36 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=YsUcgUmSIksh/7Ymp7Eh9fpxCxQz1J2F8T6KmPrfJWS9zt2Nb1ytlyUFg6VVr5dnvvqBURxR8O8TFrKcYJNlDq62K1yYbgcwdiuFmHBQ9K+rKpsXbrgq6XLdsyTUC78F; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 1269 invoked from network); 18 Oct 2012 22:37:34 +0200
Received: from (HELO ? ( by with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 18 Oct 2012 22:37:34 +0200
Message-ID: <>
Date: Thu, 18 Oct 2012 21:37:33 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Oct 2012 20:37:37 -0000


after a brief review of the draft, I got quite a bit of headache with 
this draft.
Answers inline.


On 18/10/12 18:22, Barry Leiba wrote:
>> Well, maybe it's a matter of point of view. Adam took great care to
>> rework the cookie spec and achieve RFC6265 with a number of usage
>> recommendations to use cookies in the safest way. Since this draft
>> suggests a usage which seems totally insecure to me, I found it
>> appropriate to raise it as conflicting with the intended use of
>> cookies. Maybe I was wrong, and if so please accept my apologises.
>> Then it's unclear to me what kind of conflict should be raised :-/
> True, and it's sometimes unclear to us as well.  I'll see your :-/ and
> raise you a :-(
> What we're looking for is this sort of thing:
> - Is this document in direct conflict with current work in a working
> group?  Which one(s)?
Not to my knowledge. (talking about websec)
But it may be in conflict with use cases for cookies.

> - Should this be handled by an existing working group?  Which one?
Yes. IMHO this is actually very dangerous stuff. The implied use 
case/proposal is to not store state on a server at all and store and 
trust it on the client only, which would be a major paradigm shift. And 
actually would go against many security recommendations I have given and 
received in the past.

> - Should a new working group be chartered for this, rather than doing
> it as an Independent Submission?
No. No new WG, but I think we should try to fit it into one of the 
existing working groups.
> - Does it appear that the authors are trying to get around the system
> by submitting this to the ISE?
> - Is this spec proposing something sufficiently harmful that it needs
> proper IETF review to fix it?
Yes. As explained above: In my view this can be playing with fire.
I believe such a paradigm deserves (and needs) IETF review.

> I suppose your comments could be arguing for that last one.
> But look at the list in RFC 5742, Section 3, and comment here on which
> of the five responses you think applies to this document.  And then
> definitely give your other feedback on the document to the ISE and the
> document authors.
> Thanks, Willy.
> Barry
> _______________________________________________
> saag mailing list