Re: [http-state] I-D Action:draft-ietf-httpstate-cookie-03.txt
Achim Hoffmann <ah@securenet.de> Tue, 23 February 2010 07:44 UTC
Return-Path: <ah@securenet.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 807E528C25D for <http-state@core3.amsl.com>; Mon, 22 Feb 2010 23:44:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[AWL=0.261, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6ep1VKVhaO9 for <http-state@core3.amsl.com>; Mon, 22 Feb 2010 23:44:29 -0800 (PST)
Received: from munich.securenet.de (munich.securenet.de [82.135.17.200]) by core3.amsl.com (Postfix) with ESMTP id 6CD3728C258 for <http-state@ietf.org>; Mon, 22 Feb 2010 23:44:29 -0800 (PST)
Received: from oxee.securenet.de (unknown [10.30.18.40]) by munich.securenet.de (Postfix) with ESMTP id 3C96E27191 for <http-state@ietf.org>; Tue, 23 Feb 2010 08:46:30 +0100 (CET)
Received: by oxee.securenet.de (Postfix, from userid 65534) id 200A4140202A; Tue, 23 Feb 2010 08:46:30 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by oxee.securenet.de (Postfix) with ESMTP id A11681402027; Tue, 23 Feb 2010 08:46:29 +0100 (CET)
Received: from oxee.securenet.de ([127.0.0.1]) by localhost (oxee.securenet.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25355-04; Tue, 23 Feb 2010 08:46:29 +0100 (CET)
Received: from [10.30.18.9] (krakatau.securenet.de [10.30.18.9]) by oxee.securenet.de (Postfix) with ESMTP id 8BBC3140242E; Tue, 23 Feb 2010 08:46:29 +0100 (CET)
Message-ID: <4B8387D5.8010902@securenet.de>
Date: Tue, 23 Feb 2010 08:46:29 +0100
From: Achim Hoffmann <ah@securenet.de>
Organization: SecureNet
User-Agent: who">cares?
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <20100213080001.D07A03A73C7@core3.amsl.com> <4B82C8EE.8000107@securenet.de> <5c4444771002222232v5487c592w22e7abef288cf6e5@mail.gmail.com>
In-Reply-To: <5c4444771002222232v5487c592w22e7abef288cf6e5@mail.gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Open-Xchange Express amavisd-new at oxee.securenet.de
Cc: http-state@ietf.org
Subject: Re: [http-state] I-D Action:draft-ietf-httpstate-cookie-03.txt
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2010 07:44:30 -0000
Hi Adam, Julian already gave the answer: dates from the server MUST be in rfc1123 format the browser MAY accept other formats So I don't have concerns. Thanks for clarifying. Achim Adam Barth wrote on 23.02.2010 07:32: > On Mon, Feb 22, 2010 at 10:11 AM, Achim Hoffmann <ah@securenet.de> wrote: >> Simple question about the *dates" in this draft: >> >> 1) If I understand 5.1.1. Dates correctly, the format of the date is >> fixed and must be in GMT. >> IIRC the date format in RFC2616 allows more variants. Also the timezone >> may be different to GMT (see RFC2616, 19.3). >> >> So the definitions in this draft would brake old behaviours. >> (Though, from a security point of view, I'd prefer the draft definition:) > > The date format in 5.1.1. is specifically constructed to avoid > breaking legacy servers. Is your concern based on a specific legacy > server or general philosophy? > >> 2) In 4.1.2. Semantics (third paragraph) we read: >> " .. by including an Expires attribute with a value in the past." >> This is a bit missleading unless all date formats are GMT (see 1) above). > > This section is non-normative. If the server behaves as recommended > (e.g., uses rfc1123-date), then this advice is sensible. > > Adam >
- [http-state] I-D Action:draft-ietf-httpstate-cook… Internet-Drafts
- Re: [http-state] I-D Action:draft-ietf-httpstate-… Achim Hoffmann
- Re: [http-state] I-D Action:draft-ietf-httpstate-… Julian Reschke
- Re: [http-state] I-D Action:draft-ietf-httpstate-… Achim Hoffmann
- Re: [http-state] I-D Action:draft-ietf-httpstate-… Adam Barth
- Re: [http-state] I-D Action:draft-ietf-httpstate-… Adam Barth
- Re: [http-state] I-D Action:draft-ietf-httpstate-… David Morris
- Re: [http-state] I-D Action:draft-ietf-httpstate-… Achim Hoffmann
- Re: [http-state] {Dangerous Content?} I-D Action:… Achim Hoffmann
- Re: [http-state] I-D Action:draft-ietf-httpstate-… Adam Barth
- Re: [http-state] {Dangerous Content?} I-D Action:… Adam Barth