Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Barry Leiba <barryleiba@computer.org> Thu, 18 October 2012 17:03 UTC

Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF66A21F8790 for <saag@ietfa.amsl.com>; Thu, 18 Oct 2012 10:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.089
X-Spam-Level:
X-Spam-Status: No, score=-103.089 tagged_above=-999 required=5 tests=[AWL=-0.112, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpoEKb-Au9Sn for <saag@ietfa.amsl.com>; Thu, 18 Oct 2012 10:03:04 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id D7EF521F8794 for <saag@ietf.org>; Thu, 18 Oct 2012 10:03:03 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id k13so6816220lbo.31 for <saag@ietf.org>; Thu, 18 Oct 2012 10:03:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=2YLeoariAfNvZWfuY6KvoanoEq8nHvnSQO5Zmz2CVTE=; b=OA3ztnOx/AXVWb8SEyroD4IByKF9mRsCmTZLS6AQpuAFA3jCQ/tCb4xbGm8b7bgdxP de0SckwK5hYG4dIRksC+WxXEyZxKmYlkmAWZCIY6Et7Ty0XxsG1YWHuuFp5wBEMw95ep ZhU/FuutRCxMlH4DUXhpH28W3EGpoQSUI8gnOvHux1G3pNhjVlgLfZvx2ygpj28WjFDF Kb3ZmA3BOG9S3y2FdM9KhzeY4RRsM61kCNAM1VU3iEY7PxPhU3Bq6wSorDwr+2uZdyVI hAenqbOFnJkqXGaUymwa5fiUrKgvfehJKpzwkw6Qvp6nYn7yKf/Kimef1MYxr1gcQgHh DIUw==
MIME-Version: 1.0
Received: by 10.152.162.97 with SMTP id xz1mr19052522lab.38.1350579782824; Thu, 18 Oct 2012 10:03:02 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.112.150.194 with HTTP; Thu, 18 Oct 2012 10:03:02 -0700 (PDT)
In-Reply-To: <20121018064805.GI7517@1wt.eu>
References: <CALaySJK5JBo1cbsqcX6hyk0gSkDciZkX3o=o+rg9rgNVqBeRhw@mail.gmail.com> <20121018064805.GI7517@1wt.eu>
Date: Thu, 18 Oct 2012 13:03:02 -0400
X-Google-Sender-Auth: yo9W52JzXmbaazpouXP0MRefhWk
Message-ID: <CAC4RtVBfZujwVN9NG1YyiCAm0yrV3Ufu+_SXtTJL4ZHC42tN6Q@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Willy Tarreau <w@1wt.eu>
Content-Type: text/plain; charset=ISO-8859-1
Cc: saag@ietf.org
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2012 17:03:04 -0000

> I just checked the following document and have one main concern :
...
> Hence, I'm failing to see what specific use case this protocol covers,
> however I see a risk that it is adopted by users who don't completely
> understand its security implications.

Willy, did you read my note carefully?  In particular:

> Please read RFC 5742, Section 3, and be aware that we are not looking
> for detailed comments on the document itself (see below).  We
> specifically need input on whether this document is in conflict with
> work that's being done in the IETF.  Look at the five possible
> responses specified in that section, and help us determine whether any
> of 2 through 5 applies.  Please be specific in your response.

Your response is not related to whether this conflicts with existing
IETF work, but is addressing issues in the document.  You need to take
these up with the authors and the Independent Stream Editor.  Again
from my note:

> In addition to this, we're sure that the authors and the ISE would
> appreciate comments about the document.  If you have those, you may
> send them directly to the authors at
> <draft-secure-cookie-session-protocol@tools.ietf.org>
> and to the ISE at <rfc-ise@rfc-editor.org>rg>.
> General discussion of the document on these lists or the saag list will
> likely not get to the authors or the ISE.

Barry