[saag] Input for conflict review of draft-secure-cookie-session-protocol
Thomas Fossati <tho@koanlogic.com> Fri, 19 October 2012 14:32 UTC
Return-Path: <tho@koanlogic.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E0721F86E9 for <saag@ietfa.amsl.com>; Fri, 19 Oct 2012 07:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kS26GP29ofnF for <saag@ietfa.amsl.com>; Fri, 19 Oct 2012 07:32:53 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4DCA121F86E6 for <saag@ietf.org>; Fri, 19 Oct 2012 07:32:53 -0700 (PDT)
Received: by mail-qa0-f44.google.com with SMTP id 25so164742qao.10 for <saag@ietf.org>; Fri, 19 Oct 2012 07:32:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:content-type:x-gm-message-state; bh=YS3Q0raSVNjqBALc3I4NgEwtxMH7nce3VqOQ1VOcdMw=; b=gVsqf1Y5d0WY2pTbjbcJeRDqK6HT8rmDpg8wr8XutzRJo2HPbp3YacVdZcCh2X4ktY nr6CCEEiwps+R9VpVJNXcReRJuEzFeXS8H3bwYsOku9EI9WNOmE2P0VOupnkmdo1k4vT gemCkujJwAdTCrGCBrb0RM2PIe66pLKikS6Uwjcscs9/Zjeo6RYv7yNwwdt+mHEZJLGr UFD+6mFXLIWHETMLUiRGdX11eYkdTodVfZdqYaBqkcUWPd0udId/ScPp9oPQ+e3qkKLr tNw1svyYLuLOwext9aUByrVACKU3FHWyn+qXfbzYmCZ92l1CAHuQEq5Nxb+T+8fmlG3m HLgA==
MIME-Version: 1.0
Received: by 10.49.103.162 with SMTP id fx2mr838867qeb.1.1350657172607; Fri, 19 Oct 2012 07:32:52 -0700 (PDT)
Received: by 10.49.26.170 with HTTP; Fri, 19 Oct 2012 07:32:52 -0700 (PDT)
X-Originating-IP: [81.134.152.4]
In-Reply-To: <CAByMhx90Nk+hsw3PUqunP022av1wSYf0OXxKi6Z1U=-zOe5RzQ@mail.gmail.com>
References: <CAByMhx90Nk+hsw3PUqunP022av1wSYf0OXxKi6Z1U=-zOe5RzQ@mail.gmail.com>
Date: Fri, 19 Oct 2012 15:32:52 +0100
Message-ID: <CAByMhx_82B6ApLjOnj3v6BYU90opPs9MR7U-BLpbg91-FnPQAg@mail.gmail.com>
From: Thomas Fossati <tho@koanlogic.com>
To: saag@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQlFNk9tr++dwjx847RDxCaoRiGBVx9CF06XSyEaw/fdKsrCMdxxBDlKeCOfGvtEiYUrvOT5
Subject: [saag] Input for conflict review of draft-secure-cookie-session-protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2012 14:32:54 -0000
Hi Tobias, >> - Should this be handled by an existing working group? Which one? > Yes. A little bit of context, to hopefully give everyone the reasons why and how we are here. SCS was presented for the first time (to get expert review/feedback) to IRTF CFRG in September 2006: http://www.ietf.org/mail-archive/web/cfrg/current/msg01307.html Then after a long pause, I brought it to the IETF (http-state WG) in February 2011: http://www.ietf.org/mail-archive/web/http-state/current/msg01227.html where I've tried to propose it as a working group item, with no avail. (Please note that this pre-dates JOSE BoF which was held in March 2011 IIRC.) So, the natural outcome was to go through ISE, which I've done in December 2011. In these years, in different occasions it has received extensive review by a couple of well known and respected security guys -- David Wagner and Jim Schaad. The whole shebang is nothing new, just a simple bearer token format which is suitable for use in HTTP (in cookies and URIs, or any other HTTP header value). With the added value that it can be traced back to a provably secure authenticated encryption scheme. I've taken the trouble to publish as I though it could provide a solid and reusable building block for developers, that, as a bonus, are also given a reference open-source implementation. The Security Consideration has plenty of material about the possible risks and related countermeasures / mitigations. If there's something that really needs to be said and it's not already there, please state it precisely and I'll do the needed editing. I like to hear solid technical comments, I really like it, and I'm totally open to modify the I-D as long as the proposed modifications makes it a better document. This is the sole purpose of going through the IETF process, after all. Thanks, Thomas.
- [saag] Input for conflict review of draft-secure-… Barry Leiba
- Re: [saag] [apps-discuss] Input for conflict revi… Barry Leiba
- Re: [saag] [apps-discuss] Input for conflict revi… Manger, James H
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… SM
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- [saag] Input for conflict review of draft-secure-… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- Re: [saag] Input for conflict review of draft-sec… Hannes Tschofenig
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… Willy Tarreau
- Re: [saag] Input for conflict review of draft-sec… =JeffH
- Re: [saag] Input for conflict review of draft-sec… Tobias Gondrom
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Mark Nottingham
- Re: [saag] Input for conflict review of draft-sec… Thomas Fossati
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba
- Re: [saag] Input for conflict review of draft-sec… Stephen Farrell
- Re: [saag] Input for conflict review of draft-sec… Mark Nottingham
- Re: [saag] Input for conflict review of draft-sec… Barry Leiba