Re: [secdir] Fwd: RE: SecDir review of draft-williams-websec-session-continue-prob-00

Ben Laurie <benl@google.com> Thu, 07 February 2013 01:58 UTC

Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BA2A21E8034 for <secdir@ietfa.amsl.com>; Wed, 6 Feb 2013 17:58:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.978
X-Spam-Level:
X-Spam-Status: No, score=-101.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id POYRZanis0tK for <secdir@ietfa.amsl.com>; Wed, 6 Feb 2013 17:58:28 -0800 (PST)
Received: from mail-ia0-x236.google.com (mail-ia0-x236.google.com [IPv6:2607:f8b0:4001:c02::236]) by ietfa.amsl.com (Postfix) with ESMTP id C2B5021F8505 for <secdir@ietf.org>; Wed, 6 Feb 2013 17:58:28 -0800 (PST)
Received: by mail-ia0-f182.google.com with SMTP id w33so2415115iag.41 for <secdir@ietf.org>; Wed, 06 Feb 2013 17:58:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=uKBaZDO+noa/CK6161nRTbVWKcnjAh3R31hLoMzVUGY=; b=bymugGmf1AnhtaKjmHzj4s+mnozV+ZOwmWGm7YB9FGhPMf94h4uCTgg8wmW+vYg7I+ q6I1jLueJxYMYyv2XSku7AbVeetElERX6Fc1KFCjYYVxJfLatDEVimq3q2cSbR77livJ srldgSC0Ymota++Eq/Bmiv6L1y47nLXqKpYyGUChkz1KGBI4fm4Ybkf/XVjyUZP9uGH4 jAbirqAoydBZmikq/4SapLrSDKVVcAgz4G4PH8Ul6pRRzmzbwh1fFMmCYvqy1cwmakB4 UqRsg9v8jYP41y5Ad6vlQydQnd5rEpt7HOSNHgYS7ArD3/j7IY1vnywL4m/NODZC2Nkn 1RRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=uKBaZDO+noa/CK6161nRTbVWKcnjAh3R31hLoMzVUGY=; b=JGK6RvdZhH7hQr9SYWqPHsGY7ilfe7rL18LeWPp4ONTwiTRIPmnrcit8OzZFJLPPDD w9iHqgPpO2b9/FFoBUHzHwg6RH52Ei3u/nRQ3TuutEmww6ye3VqbpUqwc0gS5KcgDn45 yAINQi73UQapVRUb0byWxYQyGm8x7DtE5g5ucUd83xi8dZQuz+eYRHCA84e/Ji3hyPTs TGWLLYVNUyLZYgqEM5tQWjEx3jVbAxlm+oS3h/Bncuq2Yt+TMyDW6MGUvRNpMb7gyf4W 6ozB3WcJQthfBVCCD3GKuUzED2mIFrBRO9mPZwa7Jc4BBt0OHvOWR4acCIyMbuPJH2ph E0tA==
MIME-Version: 1.0
X-Received: by 10.50.236.41 with SMTP id ur9mr10771422igc.7.1360202307865; Wed, 06 Feb 2013 17:58:27 -0800 (PST)
Received: by 10.64.5.168 with HTTP; Wed, 6 Feb 2013 17:58:27 -0800 (PST)
In-Reply-To: <511225F1.7010008@cs.tcd.ie>
References: <4613980CFC78314ABFD7F85CC30277211199D0A8@IL-EX10.ad.checkpoint.com> <511225F1.7010008@cs.tcd.ie>
Date: Thu, 7 Feb 2013 01:58:27 +0000
Message-ID: <CABrd9SR0-RTAWnK_g3N8cPStcQfMcFn-8Eq=Ny6xiADYY3NR+w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQklBdY+NAym8r6HERyvsrbxyK/PpDux5Hmx4ZRp+sJ+om5xTqyuhoqF8VXsi4gpvX0tsClX1iEY20a9rJjdAlbkHBot7hhmlzRae9I/YXpEyAG59koB3b7kWWvzY75EE1blnGJbeRLRqqtqFZqh1EaFO6Xrb3prrYkSkUn8AmSKcXIKCnsztbYI17ptWwrv7G3nZiIV
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Fwd: RE: SecDir review of draft-williams-websec-session-continue-prob-00
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 01:58:29 -0000

On 6 February 2013 09:44, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>
> Hi the websec WG would like to get an early review of this
> one as they consider adopting it. Any takers?

Not really a proper review, but some thoughts:

" 4. Resistance to active attacks on https. [NOTE: This should

        probably NOT be a requirement.  Instead we should be happy to
        note where a proposed protocol provides this.]"

I'm very confused by this point, but...

a) What active attacks? Need to specify them.

b) If there are active attacks that are actually effective (surely
not?) that can be avoided by these protocols, then avoidance should be
compulsory.

And then...

" 8. Session continuation must provide protection against man-in-the-

        middle (MITM) attacks when using TLS.  (This is important when
        using anonymous Diffie-Hellman cipher suites for TLS, as well as
        when using server certificates from low-value Public Key
        Infrastructures (PKI)."

Seems to be a couple of examples of what they're talking about.

" 10. Must work across all types of proxies. Proxies that can modify

        the plaintext HTTP requests and responses can (but should not)
        interfere with any session continuation protocol."

A man-in-the-middle is a type of proxy, so this seems like an
unsatisfiable requirement.




>
> Ta,
> S
>
>
> -------- Original Message --------
> Subject: RE: SecDir review of draft-williams-websec-session-continue-prob-00
> Date: Wed, 6 Feb 2013 08:40:01 +0000
> From: Yoav Nir <ynir@checkpoint.com>
> To: Sean P. Turner <turners@ieca.com>om>,        Stephen Farrell
> <stephen.farrell@cs.tcd.ie>
> CC: Tobias Gondrom <tobias.gondrom@gondrom.org>
>
> Sean?  Stephen?
>
> -----Original Message-----
> From: Yoav Nir
> Sent: Wednesday, January 30, 2013 7:02 AM
> To: Sean P. Turner; Stephen Farrell
> Cc: Tobias Gondrom
> Subject: SecDir review of draft-williams-websec-session-continue-prob-00
>
> Hi
>
> The subject draft is about creating a session management protocol for
> HTTP, that will be (a) more secure than using cookies and (b) tied to
> authentication.
>
> This is a proposed work item for the WebSec working group, and is not
> (yet) part of our charter.
>
> I think having a security review this early on will help the working
> group reach a decision (hopefully in or around Orlando), and may help us
> find that we've missed some really important issues and requirements.
>
> Would you be willing to ask SecDir to review this?
>
> Thanks
>
> Yoav
>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview