Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Barry Leiba <> Thu, 18 October 2012 17:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6490721F876A for <>; Thu, 18 Oct 2012 10:22:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.088
X-Spam-Status: No, score=-103.088 tagged_above=-999 required=5 tests=[AWL=-0.111, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xQLjALjQxawh for <>; Thu, 18 Oct 2012 10:22:39 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BC62F21F875C for <>; Thu, 18 Oct 2012 10:22:38 -0700 (PDT)
Received: by with SMTP id n5so10695001oag.31 for <>; Thu, 18 Oct 2012 10:22:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=Wz6oN2d+MOrYt9NI95j434wvQYgXQvnjn3DQEvcP9PY=; b=vHDTQDJzP4uv8MSYRAA/NOfZnsmkEQHQsr6UbON8DO8a8NnoIu3JuniRTRkVlXyIa7 QecwEtLOFxa+oFoKIrG3VRYInPE424yftmzzosv9WhORiNGdsOGZCDJ5co1kbXFNtQFJ kcsvW5yHgLUIG/CtwXHpAPcTaXlM2hUGWwTa+0MtrzK5mA+7cNKMskuBAvWMwQDSBmtO bYAJzWd4buxxRsdfDrmWDQjZwEy4uktDVPxW6lpD73g/Tg+JuqeGLjWODyijFqbT9KyP 3yuxRn0EAP5AbLNSXGZ84dc7zx3UErUxPduu8K3fVNMEq5Y6M63ntdNNgaNr0VexwGoH kuow==
MIME-Version: 1.0
Received: by with SMTP id sq9mr17991519obb.42.1350580958429; Thu, 18 Oct 2012 10:22:38 -0700 (PDT)
Received: by with HTTP; Thu, 18 Oct 2012 10:22:38 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
Date: Thu, 18 Oct 2012 13:22:38 -0400
X-Google-Sender-Auth: mw-TNYX936nGMFffVBIebyjqxq4
Message-ID: <>
From: Barry Leiba <>
To: Willy Tarreau <>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Oct 2012 17:22:39 -0000

> Well, maybe it's a matter of point of view. Adam took great care to
> rework the cookie spec and achieve RFC6265 with a number of usage
> recommendations to use cookies in the safest way. Since this draft
> suggests a usage which seems totally insecure to me, I found it
> appropriate to raise it as conflicting with the intended use of
> cookies. Maybe I was wrong, and if so please accept my apologises.
> Then it's unclear to me what kind of conflict should be raised :-/

True, and it's sometimes unclear to us as well.  I'll see your :-/ and
raise you a :-(

What we're looking for is this sort of thing:
- Is this document in direct conflict with current work in a working
group?  Which one(s)?
- Should this be handled by an existing working group?  Which one?
- Should a new working group be chartered for this, rather than doing
it as an Independent Submission?
- Does it appear that the authors are trying to get around the system
by submitting this to the ISE?
- Is this spec proposing something sufficiently harmful that it needs
proper IETF review to fix it?

I suppose your comments could be arguing for that last one.

But look at the list in RFC 5742, Section 3, and comment here on which
of the five responses you think applies to this document.  And then
definitely give your other feedback on the document to the ISE and the
document authors.

Thanks, Willy.