Re: [websec] [OAUTH-WG] fyi: IETF conflict review results for draft-secure-cookie-session-protocol

Barry Leiba <> Thu, 06 December 2012 19:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C3C921F88C1; Thu, 6 Dec 2012 11:34:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.093
X-Spam-Status: No, score=-103.093 tagged_above=-999 required=5 tests=[AWL=-0.116, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Zf1yeV96Vi7G; Thu, 6 Dec 2012 11:34:55 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 47D3E21F867A; Thu, 6 Dec 2012 11:34:49 -0800 (PST)
Received: by with SMTP id y2so5909765lbk.31 for <multiple recipients>; Thu, 06 Dec 2012 11:34:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=6hgqy6AxD2R9SZxoPfFAKdFGbY/9J4+Dx5UZdm8Mfqo=; b=w9guA4XFOKSC774g7SX+soD1m+Y6+QRF6mkNXKlBVdISLQvhx9Hihwr00e+plLeDPP yHZR2tTQo0G+zV3FyM7tZu/jQu9cdx1jzjKKCLCoPU4OqwQM3PqqDd0n2rL7zJ36MugA ccWGI3qYiDQoC/bOh+YVlm2u1VmQvsTaJUdbO54KGju5CkNy9mYKgaUF0Ui0519+H4u6 IInq3oMD3sep0OCh+sxvkgSyXmusixHxB0tIu1UzxDyW6GakQEeVI0jl4ZCkAO2KaKi9 o017MtkfpQ72bYWg5x8FqEaQhtDNa6Ak0iYQ8D+GS3/CyLk2EDeLfSIudBKZaEuHGDWL 9P8A==
MIME-Version: 1.0
Received: by with SMTP id z2mr1449204lbf.125.1354822488183; Thu, 06 Dec 2012 11:34:48 -0800 (PST)
Received: by with HTTP; Thu, 6 Dec 2012 11:34:48 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Thu, 06 Dec 2012 14:34:48 -0500
X-Google-Sender-Auth: OX0NyyE18yghle8XQywQyo6h5PI
Message-ID: <>
From: Barry Leiba <>
To: =JeffH <>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: IETF oauth WG <>, IETF WebSec WG <>, HTTP Working Group <>, Apps Discuss <>, HTTP State <>
Subject: Re: [websec] [OAUTH-WG] fyi: IETF conflict review results for draft-secure-cookie-session-protocol
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Dec 2012 19:34:55 -0000

> [ I was nosing around and noticed this relatively recent decision, it didn't
> appear to have been fwd'd to these lists. fyi/fwiw... ]
> The IESG has no problem with the publication of 'SCS: Secure Cookie
> Sessions for HTTP' <draft-secure-cookie-session-protocol-08.txt> as an
> Informational RFC.
> The IESG has concluded that this work is related to IETF work done in the
> websec and httpbis working groups, but this relationship does not prevent
> publishing.

Yes, Jeff, and thanks for forwarding this.  To make sure people have
the background...

I announced on 17 Oct to this set of mailing lists that we were
looking for input to the conflict review to be posted to the SAAG
mailing list.  The discussion thread starts here:

On 9 November, I closed the discussion with this message on the SAAG list:

If anyone has any questions about the document, I suggest they contact
the authors directly.  You can do that with the following tools alias:

Barry, App AD