W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Introducing a Session header...

From: Roberto Peon <grmocg@gmail.com>
Date: Fri, 20 Jul 2012 10:24:52 -0700
Message-ID: <CAP+FsNeTBU8+-h85Bp1smqXsNBdYiL74y2HqVeE3qUiSmS8iuA@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, James Snell <jasnell@gmail.com>, Philippe Mougin <pmougin@acm.org>
There are a number of different requirements here, and a number of problems
that we're attempting to solve, and I haven't yet seen someone put them
together in a list so that the tradeoffs are easily established, especially
in the context of actually getting people to use the thing.

In the event we allow cleartext communications (not debating that here),
security for the nonce/session-id is an issue.

-=R


On Fri, Jul 20, 2012 at 9:56 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:

> In message <CAP+FsNcWPw6j68Y9g9HfAWxZu-83W4p1cX0OTd4Fngky=
> PdvgA@mail.gmail.com>
> , Roberto Peon writes:
>
> >I don't want this to turn into TLS vs not TLS, just pointing out that
> >generating a shared nonce securely is something we already know how to do.
>
> It doesn't have to be secure, it doesn't even have to be unique, to
> serve the role I'm looking for, all I want is that the user-agent
> gives us a routeable id.
>
>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>
Received on Friday, 20 July 2012 17:25:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 July 2012 17:25:29 GMT