IETF Logo Mail Archive

[websec] Call for adoption: draft-ietf-websec-session-continue-prob-00

Yoav Nir <ynir@checkpoint.com> Mon, 08 July 2013 05:38 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0B2D11E8186 for <websec@ietfa.amsl.com>; Sun, 7 Jul 2013 22:38:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.539
X-Spam-Level:
X-Spam-Status: No, score=-10.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQm-lQdsrfTz for <websec@ietfa.amsl.com>; Sun, 7 Jul 2013 22:38:04 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 07B1E11E8188 for <websec@ietf.org>; Sun, 7 Jul 2013 22:38:02 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r685bmGe006168 for <websec@ietf.org>; Mon, 8 Jul 2013 08:38:01 +0300
X-CheckPoint: {51DA502B-2B-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Mon, 8 Jul 2013 08:37:53 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: Call for adoption: draft-ietf-websec-session-continue-prob-00
Thread-Index: AQHOe51K2fjJqAHy/0+f/EfC93Qceg==
Date: Mon, 08 Jul 2013 05:37:52 +0000
Message-ID: <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com>
References: <20130708052654.13662.45967.idtracker@ietfa.amsl.com>
In-Reply-To: <20130708052654.13662.45967.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.24.110]
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 11224829e3e7ac92b6e03f1d303ddc61f0acb0259e
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5A8E0AED1B01194E93E0D614EBF14511@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 05:38:09 -0000

Hi all

This has been submitted with a websec filename, but note that this is not (yet) on our charter.

At the Orlando meeting, we discussed some of the security issues with keeping HTTP sessions using cookies. There was consensus in the room that this is a problem that needs solving. Nicolas Williams, Phillip Hallam-Baker, and Yaron Sheffer volunteered to write a problem statement, and this is it. The message we got from our AD is that first we should show that the working group has the time and energy to work on solving this problem, and then we can add this to our charter.

So please have a look and this document, and answer the following:
 - Is this a good starting point for the problem statement?
 - Will you be willing to review the problem statement?
 - Will you be willing to read multiple solution proposals to help the working group choose?
 - Will you be willing to review the solution document?

We will have a chance to discuss this in Berlin, but it would be great if we have a rough measure of how much energy we have.

Thanks

Tobias and Yoav

On Jul 8, 2013, at 8:26 AM, internet-drafts@ietf.org wrote:

> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Security Working Group of the IETF.
> 
> 	Title           : Hypertext Transport Protocol (HTTP) Session Continuation: Problem Statement
> 	Author(s)       : Nicolas Williams
> 	Filename        : draft-ietf-websec-session-continue-prob-00.txt
> 	Pages           : 13
> 	Date            : 2013-07-07
> 
> Abstract:
>   One of the most often talked about problems in web security is
>   "cookies".  Web cookies are a method of associating requests with
>   "sessions" that may have been authenticated somehow.  Cookies are a
>   form of bearer token that leave much to be desired.  This document
>   describes the session "continuation" problem for the HyperText
>   Transport Protocol (HTTP).
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-websec-session-continue-prob
> 
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-ietf-websec-session-continue-prob-00
> 
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/

v2.23.0 | Report a Bug | By Email