Re: [E] Re: HTTP State Tokens from Kaustubha Govind on 2021-04-14 (public-privacycg@w3.org from April 2021)

From: Kaustubha Govind <kaustubhag@google.com>
Date: Tue, 13 Apr 2021 21:08:08 -0400
To: George Fletcher <george.fletcher@verizonmedia.com>
Cc: Mike West <mkwst@google.com>, public-privacycg@w3.org
Message-ID: <CAHTnisTr1y0FA118hok49mA+mA_-ortLNZv8Xh_5ToxS9QP=8g@mail.gmail.com>

On Thu, Apr 8, 2021, 10:14 AM George Fletcher <
george.fletcher@verizonmedia.com> wrote:

> Hi Mike,
>
> Thanks so much for the response! I found the ability for the user agent to
> generate a signature for the state tokens very intriguing. Is there any
> chance we could add that feature to existing cookies via some mechanism?
> Maybe an attribute for a "set-cookie" response header?
>
> Thoughts?
>

George: I'm curious to hear about the threat model you're trying to solve
for. Mike's proposal speculates that the signing key could potentially help
mitigate attacks possible via token theft, but leaves open the possibility
that the design could be improved upon.



> Thanks,
> George
>
> On Thu, Apr 8, 2021 at 1:18 AM Mike West <mkwst@google.com> wrote:
>
>> Hey George,
>>
>> There was discussion on the IETF's HTTP working group list, and in
>> WebAppSec. My impression from those conversations was that there wasn't
>> enough appetite for building a cookie replacement vs. incrementally
>> changing cookies as they exist. That's the strategy laid out in
>> https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mikewest.github.io_cookie-2Dincrementalism_draft-2Dwest-2Dcookie-2Dincrementalism.html&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=cl87BDJWy_Dken1-bgbUZHoY1dEfYnAZIzXekbjJhbc&m=PF75H_jMRGPCLyMfWDj-A4dzaaPqTcbqyYtjw89EGLo&s=F7i2jxquOErF2Ge7jHxCrCcLy3KYBsaY2LFPcDC8dps&e=>
>> .
>>
>> From my perspective, state tokens are on hold while vendors determine
>> just how malleable existing cookies actually are. I'd love to see folks
>> collectively decide to pick them up again as I think there's some value in
>> shipping a modernized version of that draft, but I'm happy to see the
>> energy flow into incremental change for the time being. :)
>>
>> -mike
>>
>>
>> On Wed, Apr 7, 2021 at 9:42 PM George Fletcher <
>> george.fletcher@verizonmedia.com> wrote:
>>
>>> Thanks! I remember it being discussed but then it seems like discussion
>>> has gone silent. The IETF draft expired in September 2019 :)
>>>
>>> On Wed, Apr 7, 2021 at 3:38 PM Kaustubha Govind <kaustubhag@google.com>
>>> wrote:
>>>
>>>> Adding +Mike West <mkwst@google.com> (author of the proposal).
>>>>
>>>> It was discussed on the WebAppSec WG mailing list months ago.
>>>>
>>>> On Wed, Apr 7, 2021 at 3:15 PM George Fletcher <
>>>> george.fletcher@verizonmedia.com> wrote:
>>>>
>>>>> This may not be the correct venue but figured I'd ask to see if anyone
>>>>> knows the status of HTTP State tokens.
>>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>>
>>>
>>>
>

Received on Wednesday, 14 April 2021 01:09:33 UTC