Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol

Stephen Farrell <> Sun, 21 October 2012 11:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 440FD21F844C for <>; Sun, 21 Oct 2012 04:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.574
X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bd3LQQNjg9zg for <>; Sun, 21 Oct 2012 04:24:21 -0700 (PDT)
Received: from ( [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by (Postfix) with ESMTP id 2334621F843B for <>; Sun, 21 Oct 2012 04:24:20 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9237417147B; Sun, 21 Oct 2012 12:24:18 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1350818657; bh=TPAvBSusKG8tHN JTzsG6QI6yHGseNc3EzBHcBGk0os8=; b=wEMare2r3PRwH0/Y943GDXAjXWZvGj inReuKAA52t5tQWZ8doR3iWZOiXvRSKdwtejblXrzw4DiFN5IVhFyU7UIFCKRmci 2xjMDpuVa8Kbti0cCYlQ4FKzRY5UNJflqXNz0K+DGJ+9W7osFI+7/tiud4t3jGlO Fo7SHdr2SypYGkpgTeSZegTWUMMewPQPMOVoXQYyxbrtKQmiLv+X6YIlxQVrTX6F z5mjUPi4qVSoGxskxTiUpelq7jR/QOQ0XQtFDS1zaUXJ52dTztLYGXveVdKucoCQ OYDW/UPku8C45EA6uxXTxI3cTykT9QO2z6U9Cry1qGCKcvNy2C4Pi/zQ==
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10027) with ESMTP id tI2cOqmyOdPz; Sun, 21 Oct 2012 12:24:17 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 594C4171478; Sun, 21 Oct 2012 12:24:11 +0100 (IST)
Message-ID: <>
Date: Sun, 21 Oct 2012 12:24:11 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121017 Thunderbird/16.0.1
MIME-Version: 1.0
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc:, Nevil Brownlee <>
Subject: Re: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 21 Oct 2012 11:24:22 -0000

So looking at the mails on this, it strikes me that maybe
if the document had a slightly different title that might
resolve all the 5742 concerns about whether or not it
conflicts with IETF work.

If it were called "KoanLogic's Secure cookie Sessions
for HTTP" would that then be ok? IMO, it ought. That way,
the independent-stream RFC won't confuse anyone into
thinking that the IETF as a whole has developed this, but
if some IETF WG wants to do similar work, this could be
useful input. (And adding one word seems likely quicker
than organising and coming to IETF rough consensus;-)

What do folks (incl. authors) think of that?

I realise that the above suggested name isn't quite on
the button, since no doubt a lot of sites manage cookies
in almost the same way. But maybe its good-enough.


On 10/18/2012 03:13 AM, Barry Leiba wrote:
> A document titled "Secure Cookie Sessions for HTTP" has been submitted
> to the Independent Stream Editor (ISE):
> The IESG has been asked to review the document, as specified in RFC
> 5742, Section 3.  The Security and Applications Area Directors are
> looking for input for that review.  Please post any relevant comments
> to this list, <>rg>, as soon as possible, and at least by 1
> November 2012.
> Please read RFC 5742, Section 3, and be aware that we are not looking
> for detailed comments on the document itself (see below).  We
> specifically need input on whether this document is in conflict with
> work that's being done in the IETF.  Look at the five possible
> responses specified in that section, and help us determine whether any
> of 2 through 5 applies.  Please be specific in your response.
> In addition to this, we're sure that the authors and the ISE would
> appreciate comments about the document.  If you have those, you may
> send them directly to the authors at
> <>
> and to the ISE at <>rg>.
> General discussion of the document on this list will likely not get to the
> authors or the ISE.
> Barry Leiba, Applications AD
> _______________________________________________
> saag mailing list