Re: [http-state] Securing cookie domain handling

Daniel Stenberg <daniel@haxx.se> Mon, 30 January 2012 20:56 UTC

Return-Path: <daniel@haxx.se>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8647F1F0C41 for <http-state@ietfa.amsl.com>; Mon, 30 Jan 2012 12:56:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoGJGS2+wDJC for <http-state@ietfa.amsl.com>; Mon, 30 Jan 2012 12:56:11 -0800 (PST)
Received: from giant.haxx.se (www.haxx.se [IPv6:2a00:1a28:1200:9::2]) by ietfa.amsl.com (Postfix) with ESMTP id 66C651F0C3D for <http-state@ietf.org>; Mon, 30 Jan 2012 12:56:09 -0800 (PST)
Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.14.4/8.14.4/Debian-2) with ESMTP id q0UKu4cG023737 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 30 Jan 2012 21:56:04 +0100
Received: from localhost (dast@localhost) by giant.haxx.se (8.14.4/8.14.4/Submit) with ESMTP id q0UKu3pp023720; Mon, 30 Jan 2012 21:56:03 +0100
X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs
Date: Mon, 30 Jan 2012 21:56:03 +0100
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@giant.haxx.se
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
In-Reply-To: <op.v8wugsdcqrq7tp@acorna.oslo.osa>
Message-ID: <alpine.DEB.2.00.1201302153240.11746@tvnag.unkk.fr>
References: <op.v8wugsdcqrq7tp@acorna.oslo.osa>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: HTTP-state mailing list <http-state@ietf.org>
Subject: Re: [http-state] Securing cookie domain handling
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2012 20:56:12 -0000

On Mon, 30 Jan 2012, Yngve N. Pettersen (Developer Opera Software ASA) wrote:

> Should the IETF, through the HTTPState WG, websec, or other WG look into 
> this issue, and try to define a method? Are there other ways forward than 
> the ones mentioned above that will work equally well, or better?

As so many cookie efforts have failed already I need to ask the question: what 
would take for such an effort to actually take off and get wide use in the 
wild? And is an effort from IETF or others likely to make that happen?

-- 

  / daniel.haxx.se