[websec] Proposed Work Item: Session Continuation

Yoav Nir <ynir@checkpoint.com> Wed, 02 January 2013 05:21 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7251A21E8042 for <websec@ietfa.amsl.com>; Tue, 1 Jan 2013 21:21:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.514
X-Spam-Status: No, score=-10.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 8Eu9EhCCD5Aj for <websec@ietfa.amsl.com>; Tue, 1 Jan 2013 21:21:15 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com []) by ietfa.amsl.com (Postfix) with ESMTP id F318E21E8049 for <websec@ietf.org>; Tue, 1 Jan 2013 21:21:14 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r025L8bN027052; Wed, 2 Jan 2013 07:21:08 +0200
X-CheckPoint: {50E3C211-0-1B221DC2-2FFFF}
Received: from IL-EX10.ad.checkpoint.com ([]) by IL-EX10.ad.checkpoint.com ([]) with mapi id 14.02.0318.004; Wed, 2 Jan 2013 07:21:08 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: Proposed Work Item: Session Continuation
Thread-Index: AQHN6Kj4TGrWm5x6LkCXvy4676ba+g==
Date: Wed, 2 Jan 2013 05:21:08 +0000
Message-ID: <4613980CFC78314ABFD7F85CC30277210EE20E90@IL-EX10.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <761F2CE1AA47D84DBB34ECE4BDC28F4B@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>
Subject: [websec] Proposed Work Item: Session Continuation
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2013 05:21:16 -0000

Hi all

Some of you may have attended the HTTPAuth BoF in Atlanta. That BoF was not successful in forming a working group, but one of the take-aways from that meeting was that a better session management protocol was both needed, and something the IETF could do decent work on. This is partially motivated by the recent BEAST and CRIME attacks, which relied on the repeated transmission of the session cookie, and in another part by the realization that the use of HTTP cookies to manage sessions as it is done today is unsound.

In the last few weeks, a design team has been working on a problem statement document. The design team includes Nico Williams, Phillip Hallam-Baker, Yaron Sheffer, and Paul Leach. The draft is by no means finished, but we think it is ready to go public for discussion on this list.

Here's a link to the draft:

It should be noted that this document and a possible subsequent protocol document are NOT currently on the WebSec charter. Only X-Frame-Options and Key Pinning are. But we do think this list is a good venue for this item, and if there's enough interest we can ask our AD to add this to our charter.

If accepted, the problem statement should be followed by a protocol document, and perhaps by a client practices document. But that's for the future. The design team has also been working on a proposed session continuation protocol document[1], but that is in a more initial state, and (with chair hat on) we will consider it among other possible proposals when the time comes.

I'd like to thank the design team members for this work, and especially Nico Williams for editing the problem statement document. 



[1] http://tools.ietf.org/html/draft-williams-websec-session-continue-proto-00