[websec] draft-williams-websec-session-continue-prob-00

James M Snell <jasnell@gmail.com> Mon, 14 January 2013 21:36 UTC

Return-Path: <jasnell@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B35721F8B3A for <websec@ietfa.amsl.com>; Mon, 14 Jan 2013 13:36:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Level:
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[AWL=-2.271, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_FWDLOOK=1.666]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q48RRg-bcBSZ for <websec@ietfa.amsl.com>; Mon, 14 Jan 2013 13:36:49 -0800 (PST)
Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) by ietfa.amsl.com (Postfix) with ESMTP id 872C221F8B0C for <websec@ietf.org>; Mon, 14 Jan 2013 13:36:49 -0800 (PST)
Received: by mail-ie0-f180.google.com with SMTP id c10so5828109ieb.39 for <websec@ietf.org>; Mon, 14 Jan 2013 13:36:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=aj/5n1qLcXSc5ReTgRgFenuZ8GFEr6h4VT6r7X54Hf8=; b=1FIsKCzIe8oPbkDFjHFMQhoeiea8o9euU+lcIobi/PdffiyrzpbeTba5zDCN7FnRGv l8jqpXwgpG8flPdRFWc/U2UULX/QXmNRGVLwIavFxY3Jnqw+d2qaZADlQ7r/LtPbm1fx bMMjw1V+YecHZPocK3rGp/UZ+TvH//qBf8nz3yefikaAXxG25c2jdp69TBQHqFYtVnY9 vd8oBa7WEnKqh8dZKGJWBS8w/wxcMXZFgj3h9Bvlnm0EM0s2QTw4nSlDv+gswMxLRJ6+ Ya4fZqfezSYga/W6aq5yEJAFTTULvCn+br9Vk3rtHSjTp0KZ4fUstYxyt51LcCxY9wNE KSBw==
Received: by 10.50.158.170 with SMTP id wv10mr8184789igb.75.1358199409069; Mon, 14 Jan 2013 13:36:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.26.137 with HTTP; Mon, 14 Jan 2013 13:36:28 -0800 (PST)
From: James M Snell <jasnell@gmail.com>
Date: Mon, 14 Jan 2013 13:36:28 -0800
Message-ID: <CABP7RbcUNkxZ55T626iGBVCVRzt_r6DsyLBLeEjN-of8H3xHFA@mail.gmail.com>
To: websec@ietf.org
Content-Type: multipart/alternative; boundary=14dae9340f214fce5b04d346712b
Subject: [websec] draft-williams-websec-session-continue-prob-00
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2013 21:36:50 -0000

Hello,

Just jumped over here from the http list per Yoav Nir's request for
feedback with regards to the draft-williams-websec-session-continue-prob
draft.

Overall I think the draft is a good start. There definitely does need to be
more of an explanation as to why the existing cookie-based mechanism is bad.

As far as more forward looking feedback is concerned, I wanted to point to
the In-Session Key Negotiation draft I wrote as input to the ongoing http/2
discussion

  http://tools.ietf.org/html/draft-snell-httpbis-keynego-00

This draft introduces a new (currently experimental) bidirectional
key-negotiation sub-protocol within spdy/http2 for the negotiation of
secure keys and can be used for the establishment of authenticated and
unauthenticated sessions. (Note that I'm just making sure folks know about
this draft as it is relevant to the discussion)... Running down through the
list of requirements stated by the websec-session-continue-prob draft it
covers a good deal of the issues.

- James