Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Thomas Fossati <tho@koanlogic.com> Tue, 23 October 2012 21:53 UTC

Return-Path: <tho@koanlogic.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 610101F0C3A for <saag@ietfa.amsl.com>; Tue, 23 Oct 2012 14:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arDAgg-oVfe7 for <saag@ietfa.amsl.com>; Tue, 23 Oct 2012 14:53:54 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id BC6D21F0C92 for <saag@ietf.org>; Tue, 23 Oct 2012 14:53:52 -0700 (PDT)
Received: by mail-qc0-f172.google.com with SMTP id s14so2938871qcg.31 for <saag@ietf.org>; Tue, 23 Oct 2012 14:53:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=TWR3Nz6onhA0qC5l/IWtt7BWf1hpGuavbCcobCaXcoQ=; b=pjLUeHBVOCE9BrNBIaZaQGWxUopOx8YHEAs183n4e90VnEra1GMtZOLWBRgx4jwAAY AccrM5fu++qeaOrUVjfWGiH8wsSE4Ui227gitOeQDihx9wkW/Gxi6sUTd0GtVVrA4gKV YGdY0dahkLsdiibNyro+0b/dNc9sLcf9yoPAgjQwHcl6LBmlS4Tve+F7OPi9+a7cyB9u zd6uhLeCqQO3kBY7pfZGAtiNzcFQBb/dJhbbWyDbgvLAr8TEHQBNIENwG6ZAeClQDP8i 2tinEIcSuIh8RIos/OLKxnGcCoEozIiWrECfEHOpzC/GWz9kwrQ0ydqGYLWGnqBFRoEY TkSg==
MIME-Version: 1.0
Received: by 10.224.207.8 with SMTP id fw8mr6465296qab.92.1351029229148; Tue, 23 Oct 2012 14:53:49 -0700 (PDT)
Received: by 10.49.26.170 with HTTP; Tue, 23 Oct 2012 14:53:49 -0700 (PDT)
X-Originating-IP: [213.81.89.208]
In-Reply-To: <4B8D0A93-3838-4CDB-939B-1183718EFFFE@mnot.net>
References: <CALaySJK5JBo1cbsqcX6hyk0gSkDciZkX3o=o+rg9rgNVqBeRhw@mail.gmail.com> <4B8D0A93-3838-4CDB-939B-1183718EFFFE@mnot.net>
Date: Tue, 23 Oct 2012 22:53:49 +0100
Message-ID: <CAByMhx9YNwHrXxaQ6E12WVbnfTmSy3aeanS4bnZ7CoTm9rEP+w@mail.gmail.com>
From: Thomas Fossati <tho@koanlogic.com>
To: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmQAdc7bVtBZXkglfzqaM3Y0sPfcD/CrmL9KrFktr3Djduo3f8QFDZlxPCTNcQoWfExvSY4
Cc: saag@ietf.org
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 21:53:55 -0000

Hi Mark,

On Mon, Oct 22, 2012 at 11:31 PM, Mark Nottingham <mnot@mnot.net> wrote:
>
> As far as I can tell, this document specifies some extensions to the Cookie / Set-Cookie (RFC6265),

SCS doesn't define any extension whatsoever.  It just specifies a
format for what 6265 already identifies as a security need for "plain"
cookies. From RFC 6265, Section 8.3.:

   Servers SHOULD encrypt and sign the contents of cookies (using
   whatever format the server desires) when transmitting them to the
   user agent (even when sending the cookies over a secure channel).

> and/or "squats" on some pre-defined cookie names.

No name squatting: ANY_COOKIE_NAME in Section 3.3. of SCS is just a
placeholder which really means what it says: any name the cookie maker
decides to uses.

> 6265 doesn't define how it's to be extended very well (possibly because the underlying assumption is that extensions are VERY difficult to deploy).

Sorry if I sound like a broken record, but I want to be ultra-clear on
this point: SCS is not an extension to the cookie exchange; and in
fact it works out of the box -- today and since 6 years now -- on any
browser with cookies enabled.

Cheers, Thomas.