- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Thu, 11 Mar 2010 08:37:41 +1100
- To: Adam Barth <w3c@adambarth.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Good points, Adam. Now that httpstate is running (something that wasn't on the cards when this document was written a few years ago), I suspect we can defer a fair amount of the Cookie-related discussion to it. Regards, On 11/03/2010, at 4:18 AM, Adam Barth wrote: > Comments on Section 2.1: > > "The protocol in RFC 2109 is relatively widely implemented" > => This isn't really true. No one actually implements the protocol in > RFC 2109. I'd encourage the authors of this document to refer to > <http://tools.ietf.org/html/draft-ietf-httpstate-cookie>, which is > widely implemented. > > "Forms and cookies have many properties that make them an excellent > solution for some implementers." > => The word "excellent" here is a bit of an overstatement. Forms and > cookies are widely used but I doubt many people would describe them as > an excellent solution. > > "The cookies that result from a successful form submission make it > unnecessary to validate credentials with each HTTP request;" > => This statement is misleading. Servers still need to validate each > HTTP request to avoid cross-site request forgery attacks. > > "measures to prevent such attacks will never be as stringent as > necessary for authentication credentials because cookies are used for > many purposes" > => It seems presumptuous to make claims over what will "never" happen. > It's entirely possible that we'll think of something clever in the > future that makes this statement false. > > IMHO, <http://tools.ietf.org/html/draft-ietf-httpstate-cookie> gives a > more accurate picture of the security issues with cookies in its > security considerations section (but I might be biased since I edit > that document). I'd be happy to contribute specific text for this > section if that would be helpful. > > Adam > > > On Wed, Mar 10, 2010 at 8:45 AM, <Internet-Drafts@ietf.org> wrote: >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Hypertext Transfer Protocol Bis Working Group of the IETF. >> >> Title : Security Requirements for HTTP >> Author(s) : J. Hodges, B. Leiba >> Filename : draft-ietf-httpbis-security-properties-04.txt >> Pages : 13 >> Date : 2010-3-8 >> >> Recent IESG practice dictates that IETF protocols must specify >> mandatory-to-implement (MTI) security mechanisms, so that all >> conformant implementations share a common baseline. This document >> examines all widely deployed HTTP security technologies, and analyzes >> the trade-offs of each. >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-04.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> Below is the data which will enable a MIME compliant mail reader >> implementation to automatically retrieve the ASCII version of the >> Internet-Draft. >> >> >> > -- Mark Nottingham mnot@yahoo-inc.com
Received on Wednesday, 10 March 2010 21:39:33 UTC