Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

SM <> Thu, 18 October 2012 17:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 007F921F877D for <>; Thu, 18 Oct 2012 10:02:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.587
X-Spam-Status: No, score=-102.587 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id plPYev91h+JT for <>; Thu, 18 Oct 2012 10:02:48 -0700 (PDT)
Received: from ( [IPv6:2001:470:f329:1::1]) by (Postfix) with ESMTP id 3290421F875C for <>; Thu, 18 Oct 2012 10:02:48 -0700 (PDT)
Received: from (IDENT:sm@localhost []) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id q9IH2InO004725; Thu, 18 Oct 2012 10:02:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail2010; t=1350579743; bh=Wth8x54pHCQesSBuyX53TVsNaQSQkTDmyBhRGf36840=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=cKxVwrnENjNr/XpS4KPTkFyPca1VaFDlHvyVHI598ZEs8v4xM/32ds3vMYkS3S9H3 CeV2ZaGxbVahI0Pb51GUCNFJ1zUb/nvyfo1sk11vc93tN+O2MY0CiYnHNfBy+jJ2Ea ZhTOB51TNfwfipTe37UeO9ii+WrHbwBoHln/kAYY=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1350579743;; bh=Wth8x54pHCQesSBuyX53TVsNaQSQkTDmyBhRGf36840=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=eLl7o+I8eqjdkI5fko3VtDxbhLTBX3Es3Z16k0FtLyrl9x+J2DnxHiWP/WRZT8Mzt 4JFILbVrVBuLnOTkSR6VzxpJnXejR9/pCpaWE0yL5/aWKrBkd3D6Odca3XDWmuT431 bCOSo0eosDdJYN08dEs9GqVqzsa7GQR0uXmIyIPc=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Thu, 18 Oct 2012 09:37:35 -0700
To: Willy Tarreau <>
From: SM <>
In-Reply-To: <>
References: <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Oct 2012 17:02:49 -0000

Hi Willy,
At 23:48 17-10-2012, Willy Tarreau wrote:
>Hence, I'm failing to see what specific use case this protocol covers,
>however I see a risk that it is adopted by users who don't completely
>understand its security implications. The focus is clearly set on how
>the cookie contents are secured but not that much on what it should or
>should not be used for.

The draft is supposed to be published through in the Independent 
Submissions stream.  What that means is that the document won't be an 
IETF specification or IETF "standard".  The question was whether the 
document conflicts with existing IETF work as the publication of the 
document as a RFC might be blocked or a note might be added to it.

A conflict review does not get into whether a protocol is "good" or 
"bad".  It may be better to send the above comment to