Hello, Just jumped over here from the http list per Yoav Nir's request for feedback with regards to the draft-williams-websec-session-continue-prob draft.
Overall I think the draft is a good start. There definitely does need to be more of an explanation as to why the existing cookie-based mechanism is bad. As far as more forward looking feedback is concerned, I wanted to point to the In-Session Key Negotiation draft I wrote as input to the ongoing http/2 discussion http://tools.ietf.org/html/draft-snell-httpbis-keynego-00 This draft introduces a new (currently experimental) bidirectional key-negotiation sub-protocol within spdy/http2 for the negotiation of secure keys and can be used for the establishment of authenticated and unauthenticated sessions. (Note that I'm just making sure folks know about this draft as it is relevant to the discussion)... Running down through the list of requirements stated by the websec-session-continue-prob draft it covers a good deal of the issues. - James
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec