I-D Action: draft-secure-cookie-session-protocol-07.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A New Internet-Draft is available from the on-line Internet-Drafts directories.


	Title           : SCS: Secure Cookie Sessions for HTTP
	Author(s)       : Stefano Barbato
                          Steven Dorigotti
                          Thomas Fossati
	Filename        : draft-secure-cookie-session-protocol-07.txt
	Pages           : 21
	Date            : 2012-10-08

Abstract:
   This document provides an overview of SCS, a small cryptographic
   protocol layered on top of the HTTP cookie facility, that allows its
   users to produce and consume authenticated and encrypted cookies, as
   opposed to usual cookies, which are un-authenticated and sent in
   clear text.

   An interesting property, rising naturally from the given
   confidentiality and authentication properties, is that by using SCS
   cookies, it is possible to avoid storing the session state material
   on the server side altogether.  In fact, an SCS cookie presented by
   the user agent to the origin server can always be validated (i.e.
   possibly recognized as self-produced, fresh, untampered material)
   and, as such, be used to safely restore application state.

   Hence, typical use cases may include devices with little or no
   storage offering some functionality via an HTTP interface, as well as
   web applications with high availability or load balancing
   requirements which would prefer to handle application state without
   the need to synchronize the pool through shared storage or peering.

   Another noteworthy application scenario is represented by the
   distribution of authorized web content (e.g. by CDNs), where an SCS
   token can be used, either in a cookie or embedded in the URI, to
   provide evidence of the entitlement to access the associated resource
   by the requesting user agent.

   Nevertheless, its security properties allow SCS to be used whenever
   the privacy and integrity of cookies is a concern, by paying an
   affordable price in terms of increased cookie size, additional CPU
   clock cycles needed by the symmetric key encryption and HMAC
   algorithms, and related key management, which can be made a nearly
   transparent task.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-secure-cookie-session-protocol

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-secure-cookie-session-protocol-07

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-secure-cookie-session-protocol-07


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt


[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux