Re: [http-state] Welcome to http-state

Bil Corry <bil@corry.biz> Mon, 12 January 2009 22:48 UTC

Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 712D73A67E4; Mon, 12 Jan 2009 14:48:31 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 269A43A67E4 for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:48:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.943
X-Spam-Level:
X-Spam-Status: No, score=-4.943 tagged_above=-999 required=5 tests=[AWL=-3.208, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UcxsFbWJSVTN for <http-state@core3.amsl.com>; Mon, 12 Jan 2009 14:48:29 -0800 (PST)
Received: from mail.mindio.com (app1.bc.anu.net [193.189.141.126]) by core3.amsl.com (Postfix) with ESMTP id 5E9A53A67C0 for <http-state@ietf.org>; Mon, 12 Jan 2009 14:48:29 -0800 (PST)
Received: from [127.0.0.1] (c-98-206-56-182.hsd1.in.comcast.net [98.206.56.182]) by mail.mindio.com (Postfix) with ESMTP id 41C1019C1E0 for <http-state@ietf.org>; Mon, 12 Jan 2009 16:48:11 -0600 (CST)
Message-ID: <496BC8A4.4080008@corry.biz>
Date: Mon, 12 Jan 2009 16:48:04 -0600
From: Bil Corry <bil@corry.biz>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
References: <49679299.6060703@corry.biz> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com>
In-Reply-To: <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com>
X-Enigmail-Version: 0.95.7
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org

Adam Barth wrote on 1/12/2009 3:59 PM: 
> The Cookie-Integrity header has two advantages over altering the
> semantics of Set-Cookie:

I brought this up on the old list; what about using $Version instead?

Something like:

	Set-Cookie: a=b; Version="3"; HTTPOnly; Secure

which the browser responds:

	Cookie: $Version="3"; a=b; $Integrity="HTTPOnly,Secure"


Of course, we're reworking the cookie spec, so presumably we can choose a better method (which may be the Cookie-Integrity header).  One idea I tossed around with Yngve was to repurpose Cookie2 (which only Opera currently supports) and make it the "new" cookie standard.  Then it's just a matter of educating developers to use Cookie2 instead of Cookie (and makes discussion about the update easier).  Because of the limited deployment of Cookie2, I'd imagine any backwards compatibility problems would be also limited.


- Bil

_______________________________________________
http-state mailing list
http-state@ietf.org
https://www.ietf.org/mailman/listinfo/http-state