Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Mark Nottingham <mnot@mnot.net> Wed, 24 October 2012 04:56 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F9DB21F8C27 for <saag@ietfa.amsl.com>; Tue, 23 Oct 2012 21:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.301
X-Spam-Level:
X-Spam-Status: No, score=-104.301 tagged_above=-999 required=5 tests=[AWL=-1.702, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ie3C+EOJ8ODz for <saag@ietfa.amsl.com>; Tue, 23 Oct 2012 21:56:49 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by ietfa.amsl.com (Postfix) with ESMTP id 36FB821F8C26 for <saag@ietf.org>; Tue, 23 Oct 2012 21:56:49 -0700 (PDT)
Received: from [192.168.1.82] (unknown [118.209.87.82]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 1D96B22E1F4; Wed, 24 Oct 2012 00:56:41 -0400 (EDT)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAByMhx9YNwHrXxaQ6E12WVbnfTmSy3aeanS4bnZ7CoTm9rEP+w@mail.gmail.com>
Date: Wed, 24 Oct 2012 15:56:43 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <4319782A-8D8B-4D38-8046-1F775CEEFBB5@mnot.net>
References: <CALaySJK5JBo1cbsqcX6hyk0gSkDciZkX3o=o+rg9rgNVqBeRhw@mail.gmail.com> <4B8D0A93-3838-4CDB-939B-1183718EFFFE@mnot.net> <CAByMhx9YNwHrXxaQ6E12WVbnfTmSy3aeanS4bnZ7CoTm9rEP+w@mail.gmail.com>
To: Thomas Fossati <tho@koanlogic.com>
X-Mailer: Apple Mail (2.1499)
X-Mailman-Approved-At: Thu, 25 Oct 2012 08:21:39 -0700
Cc: saag@ietf.org
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 04:56:50 -0000

Hi,

If you're finding yourself saying it repeatedly, it might be worth explicitly documenting what the relationship to existing cookies are, what the expectations are for the various parties involved, and giving a bit more information about the use case. 

Cheers,


On 24/10/2012, at 8:53 AM, Thomas Fossati <tho@koanlogic.com> wrote:

> Hi Mark,
> 
> On Mon, Oct 22, 2012 at 11:31 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> 
>> As far as I can tell, this document specifies some extensions to the Cookie / Set-Cookie (RFC6265),
> 
> SCS doesn't define any extension whatsoever.  It just specifies a
> format for what 6265 already identifies as a security need for "plain"
> cookies. From RFC 6265, Section 8.3.:
> 
>   Servers SHOULD encrypt and sign the contents of cookies (using
>   whatever format the server desires) when transmitting them to the
>   user agent (even when sending the cookies over a secure channel).
> 
>> and/or "squats" on some pre-defined cookie names.
> 
> No name squatting: ANY_COOKIE_NAME in Section 3.3. of SCS is just a
> placeholder which really means what it says: any name the cookie maker
> decides to uses.
> 
>> 6265 doesn't define how it's to be extended very well (possibly because the underlying assumption is that extensions are VERY difficult to deploy).
> 
> Sorry if I sound like a broken record, but I want to be ultra-clear on
> this point: SCS is not an extension to the cookie exchange; and in
> fact it works out of the box -- today and since 6 years now -- on any
> browser with cookies enabled.
> 
> Cheers, Thomas.

--
Mark Nottingham   http://www.mnot.net/