Hi all Some of you may have attended the HTTPAuth BoF in Atlanta. That BoF was not successful in forming a working group, but one of the take-aways from that meeting was that a better session management protocol was both needed, and something the IETF could do decent work on. This is partially motivated by the recent BEAST and CRIME attacks, which relied on the repeated transmission of the session cookie, and in another part by the realization that the use of HTTP cookies to manage sessions as it is done today is unsound.
In the last few weeks, a design team has been working on a problem statement document. The design team includes Nico Williams, Phillip Hallam-Baker, Yaron Sheffer, and Paul Leach. The draft is by no means finished, but we think it is ready to go public for discussion on this list. Here's a link to the draft: http://tools.ietf.org/html/draft-williams-websec-session-continue-prob-00 It should be noted that this document and a possible subsequent protocol document are NOT currently on the WebSec charter. Only X-Frame-Options and Key Pinning are. But we do think this list is a good venue for this item, and if there's enough interest we can ask our AD to add this to our charter. If accepted, the problem statement should be followed by a protocol document, and perhaps by a client practices document. But that's for the future. The design team has also been working on a proposed session continuation protocol document[1], but that is in a more initial state, and (with chair hat on) we will consider it among other possible proposals when the time comes. I'd like to thank the design team members for this work, and especially Nico Williams for editing the problem statement document. Regards, Yoav [1] http://tools.ietf.org/html/draft-williams-websec-session-continue-proto-00 _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
