I-D Action:draft-secure-cookie-session-protocol-01.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : SCS: Secure Cookie Sessions for HTTP
	Author(s)       : S. Barbato, et al.
	Filename        : draft-secure-cookie-session-protocol-01.txt
	Pages           : 19
	Date            : 2011-03-06

This document provides an overview of SCS, a small cryptographic
protocol layered on top of the HTTP cookie facility, that allows its
users to produce and consume authenticated and encrypted cookies, as
opposed to usual cookies, which are un-authenticated and sent in
clear text.

An interesting property, rising naturally from the given
confidentiality and authentication properties, is that by using SCS
cookies, it is possible to avoid storing the session state material
on the server side altogether.  In fact, an SCS cookie presented by
the user agent to the origin server can always be validated (i.e.
possibly reckognized as self-produced, untampered material) and, as
such, be used to safely restore application state.

Hence, typical use cases may include devices with little or no
storage offering some functionality via an HTTP interface, as well as
web applications with high availability or load balancing
requirements which would prefer to handle application state without
the need to synchronize the pool through shared storage or peering.

Nevertheless, its security properties allow SCS to be used whenever
the privacy and integrity of cookies is a concern, by paying an
affordable price in terms of increased cookie size, additional CPU
clock cycles needed by the symmetric key encryption and HMAC
algorithms, and related key management, which can be made a nearly
transparent task.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-secure-cookie-session-protocol-01.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<ftp://ftp.ietf.org/internet-drafts/draft-secure-cookie-session-protocol-01.txt>
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux