Hi Harry. On Mar 19, 2013, at 10:21 AM, Harry Halpin <[email protected]> wrote:
> On 03/14/2013 04:49 AM, Phillip Hallam-Baker wrote: >> The main substantive query that seemed to be raised in the meeting was >> what we are going to call this session continuation thing. I am not >> that worried about confusion with HTTP-Auth. Folk who know, know. >> >> But one of the objectives here is to replace cookies. So choosing a >> name that positions the spec as a successor to authentication cookies >> is actually quite important. >> >> >> How about Session Bound State as the term of art? >> > > For those of who weren't at the meeting, can we get a summary or a pointer? You can get both. There's the presentation that Phillip gave at the meeting: http://www.ietf.org/proceedings/86/slides/slides-86-websec-3.pdf Also, there's Nico's draft: http://tools.ietf.org/html/draft-williams-websec-session-continue-prob To summarize, the problem we are trying to solve, is that the current method of keeping sessions in HTTP through the use of session cookies has a lot of drawbacks: 1. Cookies are not cryptographically bound to authentication, so there are many opportunities for an attacker to insert itself in the middle. 2. Cookies are bearer tokens, which makes them attractive targets. Just in the last 18 months we've seen three attacks that recover the cookies even with TLS (BEAST, CRIME, Lucky-13) 3. The rules for cookie usage are such that static and active content on one page can make requests on the user's behalf to another site, and have those requests authenticated by the user's cookie. 4. Depending on cookie format, either the client or the server, but never both, can destroy the state, effectively terminating the session. It's the "not both" that is the issue. So Nico and a design team wrote the above-mentioned draft that should have a problem statement and requirements. This is an initial draft and still requires much work. We are asking the working group to review this and post opinions to the list. If the review is as positive as the sentiment in the room was, we will adopt this and make this a working group document. For now, we're requesting reviews and textual suggestions. Yoav _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
