I-D ACTION:draft-ietf-httpbis-security-properties-04.txt

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

I-D ACTION:draft-ietf-httpbis-security-properties-04.txt

Internet-Drafts
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Hypertext Transfer Protocol Bis Working Group of the IETF.

        Title : Security Requirements for HTTP
        Author(s) : J. Hodges, B. Leiba
        Filename : draft-ietf-httpbis-security-properties-04.txt
        Pages : 13
        Date : 2010-3-8
       
Recent IESG practice dictates that IETF protocols must specify
   mandatory-to-implement (MTI) security mechanisms, so that all
   conformant implementations share a common baseline.  This document
   examines all widely deployed HTTP security technologies, and analyzes
   the trade-offs of each.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

draft-ietf-httpbis-security-properties-04.txt (70 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: I-D ACTION:draft-ietf-httpbis-security-properties-04.txt

Adam Barth-5
Comments on Section 2.1:

"The protocol in RFC 2109 is relatively widely implemented"
=> This isn't really true.  No one actually implements the protocol in
RFC 2109.  I'd encourage the authors of this document to refer to
<http://tools.ietf.org/html/draft-ietf-httpstate-cookie>, which is
widely implemented.

"Forms and cookies have many properties that make them an excellent
solution for some implementers."
=> The word "excellent" here is a bit of an overstatement.  Forms and
cookies are widely used but I doubt many people would describe them as
an excellent solution.

"The cookies that result from a successful form submission make it
unnecessary to validate credentials with each HTTP request;"
=> This statement is misleading.  Servers still need to validate each
HTTP request to avoid cross-site request forgery attacks.

"measures to prevent such attacks will never be as stringent as
necessary for authentication credentials because cookies are used for
many purposes"
=> It seems presumptuous to make claims over what will "never" happen.
 It's entirely possible that we'll think of something clever in the
future that makes this statement false.

IMHO, <http://tools.ietf.org/html/draft-ietf-httpstate-cookie> gives a
more accurate picture of the security issues with cookies in its
security considerations section (but I might be biased since I edit
that document).  I'd be happy to contribute specific text for this
section if that would be helpful.

Adam


On Wed, Mar 10, 2010 at 8:45 AM,  <[hidden email]> wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Hypertext Transfer Protocol Bis Working Group of the IETF.
>
>        Title           : Security Requirements for HTTP
>        Author(s)       : J. Hodges, B. Leiba
>        Filename        : draft-ietf-httpbis-security-properties-04.txt
>        Pages           : 13
>        Date            : 2010-3-8
>
> Recent IESG practice dictates that IETF protocols must specify
>   mandatory-to-implement (MTI) security mechanisms, so that all
>   conformant implementations share a common baseline.  This document
>   examines all widely deployed HTTP security technologies, and analyzes
>   the trade-offs of each.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-04.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: I-D ACTION:draft-ietf-httpbis-security-properties-04.txt

Mark Nottingham-4
Good points, Adam. Now that httpstate is running (something that wasn't on the cards when this document was written a few years ago), I suspect we can defer a fair amount of the Cookie-related discussion to it.

Regards,


On 11/03/2010, at 4:18 AM, Adam Barth wrote:

> Comments on Section 2.1:
>
> "The protocol in RFC 2109 is relatively widely implemented"
> => This isn't really true.  No one actually implements the protocol in
> RFC 2109.  I'd encourage the authors of this document to refer to
> <http://tools.ietf.org/html/draft-ietf-httpstate-cookie>, which is
> widely implemented.
>
> "Forms and cookies have many properties that make them an excellent
> solution for some implementers."
> => The word "excellent" here is a bit of an overstatement.  Forms and
> cookies are widely used but I doubt many people would describe them as
> an excellent solution.
>
> "The cookies that result from a successful form submission make it
> unnecessary to validate credentials with each HTTP request;"
> => This statement is misleading.  Servers still need to validate each
> HTTP request to avoid cross-site request forgery attacks.
>
> "measures to prevent such attacks will never be as stringent as
> necessary for authentication credentials because cookies are used for
> many purposes"
> => It seems presumptuous to make claims over what will "never" happen.
> It's entirely possible that we'll think of something clever in the
> future that makes this statement false.
>
> IMHO, <http://tools.ietf.org/html/draft-ietf-httpstate-cookie> gives a
> more accurate picture of the security issues with cookies in its
> security considerations section (but I might be biased since I edit
> that document).  I'd be happy to contribute specific text for this
> section if that would be helpful.
>
> Adam
>
>
> On Wed, Mar 10, 2010 at 8:45 AM,  <[hidden email]> wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Hypertext Transfer Protocol Bis Working Group of the IETF.
>>
>>        Title           : Security Requirements for HTTP
>>        Author(s)       : J. Hodges, B. Leiba
>>        Filename        : draft-ietf-httpbis-security-properties-04.txt
>>        Pages           : 13
>>        Date            : 2010-3-8
>>
>> Recent IESG practice dictates that IETF protocols must specify
>>   mandatory-to-implement (MTI) security mechanisms, so that all
>>   conformant implementations share a common baseline.  This document
>>   examines all widely deployed HTTP security technologies, and analyzes
>>   the trade-offs of each.
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-04.txt
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> Below is the data which will enable a MIME compliant mail reader
>> implementation to automatically retrieve the ASCII version of the
>> Internet-Draft.
>>
>>
>>
>

--
Mark Nottingham       [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: I-D ACTION:draft-ietf-httpbis-security-properties-04.txt

=JeffH-4
In reply to this post by Internet-Drafts
thx for the bug reports Adam. Yes, I/we're largely aware of them -- we were
just up against the I-D deadline so I didn't address details in trying to just
get the I-D re-published and editorship changed over.

Additionally, it seems to us that the overall goal of the doc is not clear,
hence this comment we added..

    [[ OVERALL ISSUE: It isn't entirely clear to the present editors what
    the purpose of this document is.  On one hand it could be a
    compendium of peer-entity authentication mechanisms (as it is
    presently) and make MTI recommendations thereof, or it could be a
    place for various security considerations (either coalesced here from
    the other httpbis specs, or reserved for the more gnarly cross-spec
    composite ones), or both.  This needs to be clarified. ]]

thanks again,

=JeffH