Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Thomas Fossati <> Tue, 23 October 2012 21:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 610101F0C3A for <>; Tue, 23 Oct 2012 14:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id arDAgg-oVfe7 for <>; Tue, 23 Oct 2012 14:53:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BC6D21F0C92 for <>; Tue, 23 Oct 2012 14:53:52 -0700 (PDT)
Received: by with SMTP id s14so2938871qcg.31 for <>; Tue, 23 Oct 2012 14:53:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=TWR3Nz6onhA0qC5l/IWtt7BWf1hpGuavbCcobCaXcoQ=; b=pjLUeHBVOCE9BrNBIaZaQGWxUopOx8YHEAs183n4e90VnEra1GMtZOLWBRgx4jwAAY AccrM5fu++qeaOrUVjfWGiH8wsSE4Ui227gitOeQDihx9wkW/Gxi6sUTd0GtVVrA4gKV YGdY0dahkLsdiibNyro+0b/dNc9sLcf9yoPAgjQwHcl6LBmlS4Tve+F7OPi9+a7cyB9u zd6uhLeCqQO3kBY7pfZGAtiNzcFQBb/dJhbbWyDbgvLAr8TEHQBNIENwG6ZAeClQDP8i 2tinEIcSuIh8RIos/OLKxnGcCoEozIiWrECfEHOpzC/GWz9kwrQ0ydqGYLWGnqBFRoEY TkSg==
MIME-Version: 1.0
Received: by with SMTP id fw8mr6465296qab.92.1351029229148; Tue, 23 Oct 2012 14:53:49 -0700 (PDT)
Received: by with HTTP; Tue, 23 Oct 2012 14:53:49 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <>
Date: Tue, 23 Oct 2012 22:53:49 +0100
Message-ID: <>
From: Thomas Fossati <>
To: Mark Nottingham <>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmQAdc7bVtBZXkglfzqaM3Y0sPfcD/CrmL9KrFktr3Djduo3f8QFDZlxPCTNcQoWfExvSY4
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Oct 2012 21:53:55 -0000

Hi Mark,

On Mon, Oct 22, 2012 at 11:31 PM, Mark Nottingham <> wrote:
> As far as I can tell, this document specifies some extensions to the Cookie / Set-Cookie (RFC6265),

SCS doesn't define any extension whatsoever.  It just specifies a
format for what 6265 already identifies as a security need for "plain"
cookies. From RFC 6265, Section 8.3.:

   Servers SHOULD encrypt and sign the contents of cookies (using
   whatever format the server desires) when transmitting them to the
   user agent (even when sending the cookies over a secure channel).

> and/or "squats" on some pre-defined cookie names.

No name squatting: ANY_COOKIE_NAME in Section 3.3. of SCS is just a
placeholder which really means what it says: any name the cookie maker
decides to uses.

> 6265 doesn't define how it's to be extended very well (possibly because the underlying assumption is that extensions are VERY difficult to deploy).

Sorry if I sound like a broken record, but I want to be ultra-clear on
this point: SCS is not an extension to the cookie exchange; and in
fact it works out of the box -- today and since 6 years now -- on any
browser with cookies enabled.

Cheers, Thomas.