IETF Logo Mail Archive

Re: [TLS] Deprecating SSLv3

Bill Frantz <frantz@pwpconsult.com> Mon, 24 November 2014 22:44 UTC

Return-Path: <frantz@pwpconsult.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE541A6FB7 for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 14:44:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6_YKjheCtjSg for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 14:44:33 -0800 (PST)
Received: from elasmtp-spurfowl.atl.sa.earthlink.net (elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]) by ietfa.amsl.com (Postfix) with ESMTP id C9F4F1A0250 for <tls@ietf.org>; Mon, 24 Nov 2014 14:44:33 -0800 (PST)
Received: from [173.75.83.153] (helo=Williams-MacBook-Pro.local) by elasmtp-spurfowl.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1Xt2Mt-0006zV-EE; Mon, 24 Nov 2014 17:44:27 -0500
Date: Mon, 24 Nov 2014 14:44:22 -0800
From: Bill Frantz <frantz@pwpconsult.com>
To: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3
In-Reply-To: <88D3820D-E509-40E0-AF12-E8B82A9708B3@gmail.com>
Message-ID: <r422Ps-1075i-A77690F1D48E475F8C0475A5804F2848@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.3.1 (422)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec79c4f73377754e87dc219159f9d4b9e9ea350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 173.75.83.153
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/d17acUxeMbNRD5Jm9QMqPQWxmz4
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecating SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 22:44:35 -0000

On 11/25/14 at 2:29 PM, ynir.ietf@gmail.com (Yoav Nir) wrote:

>If I had to choose between “new cookie” that is not a 
>bearer token but is somehow bound to session or origin and a 
>“new cookie” that is scoped so that only scripts loaded 
>from *.google.com can use my google.com cookie while other 
>scripts send unauthenticated requests, I’d choose the scoping.

That scoping is approaching a capability system. If the 
authority and the object which recognizes that authority are 
bound together in one reference, then you have a capability. The 
closest we get to capabilities on the web are OATH tokens and 
URLs with "unguessable" strings.

A good capability system allows references to be transferred 
between people/programs to allow rich sharing 
<http://www.skyhunter.com/pubshare/>. Rich sharing can greatly 
reduce the incentive to share usernames and passwords.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | I don't have high-speed      | Periwinkle
(408)356-8506      | internet. I have DSL.        | 16345 
Englewood Ave
www.pwpconsult.com |                              | Los Gatos, 
CA 95032

v2.14.0 | Report a Bug | By Email