Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 18 October 2012 20:37 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5741521F8434 for <saag@ietfa.amsl.com>; Thu, 18 Oct 2012 13:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfasivJr2a5t for <saag@ietfa.amsl.com>; Thu, 18 Oct 2012 13:37:36 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2C39821F84F0 for <saag@ietf.org>; Thu, 18 Oct 2012 13:37:36 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=YsUcgUmSIksh/7Ymp7Eh9fpxCxQz1J2F8T6KmPrfJWS9zt2Nb1ytlyUFg6VVr5dnvvqBURxR8O8TFrKcYJNlDq62K1yYbgcwdiuFmHBQ9K+rKpsXbrgq6XLdsyTUC78F; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 1269 invoked from network); 18 Oct 2012 22:37:34 +0200
Received: from 188-223-113-88.zone14.bethere.co.uk (HELO ?192.168.1.65?) (188.223.113.88) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 18 Oct 2012 22:37:34 +0200
Message-ID: <5080688D.4090802@gondrom.org>
Date: Thu, 18 Oct 2012 21:37:33 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: barryleiba@computer.org
References: <CALaySJK5JBo1cbsqcX6hyk0gSkDciZkX3o=o+rg9rgNVqBeRhw@mail.gmail.com> <20121018064805.GI7517@1wt.eu> <CAC4RtVBfZujwVN9NG1YyiCAm0yrV3Ufu+_SXtTJL4ZHC42tN6Q@mail.gmail.com> <20121018171129.GO9392@1wt.eu> <CALaySJ+MDaeYNtNdMX8Qzu55xb_PFm6sup200nRHU2EaioEMhw@mail.gmail.com>
In-Reply-To: <CALaySJ+MDaeYNtNdMX8Qzu55xb_PFm6sup200nRHU2EaioEMhw@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: w@1wt.eu, saag@ietf.org
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2012 20:37:37 -0000

Hello,

after a brief review of the draft, I got quite a bit of headache with 
this draft.
Answers inline.

Tobias


On 18/10/12 18:22, Barry Leiba wrote:
>> Well, maybe it's a matter of point of view. Adam took great care to
>> rework the cookie spec and achieve RFC6265 with a number of usage
>> recommendations to use cookies in the safest way. Since this draft
>> suggests a usage which seems totally insecure to me, I found it
>> appropriate to raise it as conflicting with the intended use of
>> cookies. Maybe I was wrong, and if so please accept my apologises.
>> Then it's unclear to me what kind of conflict should be raised :-/
> True, and it's sometimes unclear to us as well.  I'll see your :-/ and
> raise you a :-(
>
> What we're looking for is this sort of thing:
> - Is this document in direct conflict with current work in a working
> group?  Which one(s)?
Not to my knowledge. (talking about websec)
But it may be in conflict with use cases for cookies.

> - Should this be handled by an existing working group?  Which one?
Yes. IMHO this is actually very dangerous stuff. The implied use 
case/proposal is to not store state on a server at all and store and 
trust it on the client only, which would be a major paradigm shift. And 
actually would go against many security recommendations I have given and 
received in the past.

> - Should a new working group be chartered for this, rather than doing
> it as an Independent Submission?
No. No new WG, but I think we should try to fit it into one of the 
existing working groups.
> - Does it appear that the authors are trying to get around the system
> by submitting this to the ISE?
> - Is this spec proposing something sufficiently harmful that it needs
> proper IETF review to fix it?
Yes. As explained above: In my view this can be playing with fire.
I believe such a paradigm deserves (and needs) IETF review.

>
> I suppose your comments could be arguing for that last one.
>
> But look at the list in RFC 5742, Section 3, and comment here on which
> of the five responses you think applies to this document.  And then
> definitely give your other feedback on the document to the ISE and the
> document authors.
>
> Thanks, Willy.
>
> Barry
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag