Re: [http-state] Welcome to http-state

A couple other quick items that may be worth chewing over:

1. While RFC2109 and draft-pettersen-cookie-v2-03.txt define the
'Secure' cookie-av to advise the user-agent against sending the cookie
over an insecure transport they do not define the desired user-agent
behavior for cross scheme writing. For example, http://foo.bar
clobbering a cookie set by https://foo.bar. 

2. RFC2109 and draft-pettersen-cookie-v2-03.txt define rules for
path-matching but fail to clearly indicate if these are case sensitive
comparisons. Removing some ambiguity in this area may be beneficial. 

Let me know if I have overlooked something that defines the above - it's
more than possible :)

Blake

-----Original Message-----
From: http-state-bounces@ietf.org [mailto:http-state-bounces@ietf.org]
On Behalf Of Bil Corry
Sent: Friday, January 09, 2009 10:08 AM
To: http-state@ietf.org
Subject: [http-state] Welcome to http-state

It appears the subscriptions have subsided, so thank you to everyone who
has joined so far.

== First, some background history == 

Some time ago on OWASP's Intrinsic Security list, I brought up the issue
of HTTPOnly not being consistently implemented (or lacking
implementation altogether) across the major browsers, based mostly on
OWASP's HTTPOnly resource page:

http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly

Jim Manico responded that he was actively promoting HTTPOnly
implementation to various browsers and welcomed help to do more.  In
that conversation, we agreed that a uniform specification would probably
be beneficial for the browser vendors and we started a group to do so.
In promoting the group across various lists, I consistently received
feedback that *cookies* needed a specification, and why were we
bothering with HTTPOnly.  This group at IETF is the result of our
decision to take on the entire cookie spec, not just HTTPOnly.

== Goal for this group ==

Ultimately, the purpose of this group is to create an updated HTTP State
Management Mechanism RFC (aka cookies) that will supersede the Netscape
spec, RFCs 2109, 2964, 2965 then add in real-world usage (e.g.
HTTPOnly), and possibly add in additional features and possibly merge in
draft-broyer-http-cookie-auth-00.txt and
draft-pettersen-cookie-v2-03.txt.

I'm assuming an update to bcp44 is probably needed as well, but
truthfully I haven't looked at it.

Did I miss anything relevant to creating an update cookie RFC?

== Creating a Working Group ==

In order to create a RFC, we need a Working Group.  In order to create a
Working Group, we need enough interested people to join a BOF at an IETF
meeting and to volunteer to help run the Working Group:

	http://www.ietf.org/tao.html#rfc.section.6

I'll be attending the next IETF meeting and don't mind taking on the
role of Working Group Chair, but I will need others to also attend, lend
support and volunteer for the various responsibilities required.

The next IETF meeting is March 22-27, 2009 in San Francisco:

	http://www.ietf.org/meetings/74/

If you will be attending, please let me know.  I'll approach Lisa
Dusseault about having a BOF at the next IETF meeting and would like to
give her an idea of how many people are already interested in it.

== Initial first steps ==

While we work on forming a Working Group, we can start the actual RFC
process now by working on creating an Internet Draft:

	http://www.ietf.org/tao.html#rfc.section.8.1

There are a few ways to get started; I'm thinking that taking an
inventory of what is wrong or missing from RFC2109 as compared to the
"real world" may be a good place to start.

Thoughts?

- Bil

_______________________________________________
http-state mailing list
http-state@ietf.org
https://www.ietf.org/mailman/listinfo/http-state
_______________________________________________
http-state mailing list
http-state@ietf.org
https://www.ietf.org/mailman/listinfo/http-state