W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: I-D ACTION:draft-ietf-httpbis-security-properties-04.txt

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Thu, 11 Mar 2010 08:37:41 +1100
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <02FD79DD-FB20-4E50-B0BB-9B2E983E69A8@yahoo-inc.com>
To: Adam Barth <w3c@adambarth.com>
Good points, Adam. Now that httpstate is running (something that wasn't on the cards when this document was written a few years ago), I suspect we can defer a fair amount of the Cookie-related discussion to it. 


On 11/03/2010, at 4:18 AM, Adam Barth wrote:

> Comments on Section 2.1:
> "The protocol in RFC 2109 is relatively widely implemented"
> => This isn't really true.  No one actually implements the protocol in
> RFC 2109.  I'd encourage the authors of this document to refer to
> <http://tools.ietf.org/html/draft-ietf-httpstate-cookie>, which is
> widely implemented.
> "Forms and cookies have many properties that make them an excellent
> solution for some implementers."
> => The word "excellent" here is a bit of an overstatement.  Forms and
> cookies are widely used but I doubt many people would describe them as
> an excellent solution.
> "The cookies that result from a successful form submission make it
> unnecessary to validate credentials with each HTTP request;"
> => This statement is misleading.  Servers still need to validate each
> HTTP request to avoid cross-site request forgery attacks.
> "measures to prevent such attacks will never be as stringent as
> necessary for authentication credentials because cookies are used for
> many purposes"
> => It seems presumptuous to make claims over what will "never" happen.
> It's entirely possible that we'll think of something clever in the
> future that makes this statement false.
> IMHO, <http://tools.ietf.org/html/draft-ietf-httpstate-cookie> gives a
> more accurate picture of the security issues with cookies in its
> security considerations section (but I might be biased since I edit
> that document).  I'd be happy to contribute specific text for this
> section if that would be helpful.
> Adam
> On Wed, Mar 10, 2010 at 8:45 AM,  <Internet-Drafts@ietf.org> wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Hypertext Transfer Protocol Bis Working Group of the IETF.
>>        Title           : Security Requirements for HTTP
>>        Author(s)       : J. Hodges, B. Leiba
>>        Filename        : draft-ietf-httpbis-security-properties-04.txt
>>        Pages           : 13
>>        Date            : 2010-3-8
>> Recent IESG practice dictates that IETF protocols must specify
>>   mandatory-to-implement (MTI) security mechanisms, so that all
>>   conformant implementations share a common baseline.  This document
>>   examines all widely deployed HTTP security technologies, and analyzes
>>   the trade-offs of each.
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-04.txt
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> Below is the data which will enable a MIME compliant mail reader
>> implementation to automatically retrieve the ASCII version of the
>> Internet-Draft.

Mark Nottingham       mnot@yahoo-inc.com
Received on Wednesday, 10 March 2010 21:39:33 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:21 UTC