Re: [http-state] IETF-wide Last Call for -httpstate-cookie-10 ?
"Shelby Moore" <shelby@coolpage.com> Thu, 26 August 2010 19:13 UTC
Return-Path: <shelby@coolpage.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 118363A67C0 for <http-state@core3.amsl.com>; Thu, 26 Aug 2010 12:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.333
X-Spam-Level:
X-Spam-Status: No, score=-2.333 tagged_above=-999 required=5 tests=[AWL=0.266, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6zuAbM5rXfY for <http-state@core3.amsl.com>; Thu, 26 Aug 2010 12:13:24 -0700 (PDT)
Received: from www5.webmail.pair.com (www5.webmail.pair.com [66.39.3.83]) by core3.amsl.com (Postfix) with SMTP id 893FD3A6988 for <http-state@ietf.org>; Thu, 26 Aug 2010 12:13:24 -0700 (PDT)
Received: (qmail 81829 invoked by uid 65534); 26 Aug 2010 19:13:56 -0000
Received: from 121.97.54.174 ([121.97.54.174]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Thu, 26 Aug 2010 15:13:56 -0400
Message-ID: <4cefb87bd1a796e242c1218b50629f1c.squirrel@sm.webmail.pair.com>
Date: Thu, 26 Aug 2010 15:13:56 -0400
From: Shelby Moore <shelby@coolpage.com>
To: http-state@ietf.org
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [http-state] IETF-wide Last Call for -httpstate-cookie-10 ?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2010 19:13:28 -0000
>> 1) 4.1.2.6. The HttpOnly Attribute. I propose that we need also >> NoHttp Attribute > > No need to. We don't add or change anything in the protocol, we only > document it in this step! Please add it to the list of requested features for cookies. Afaiu, HttpOnly was originally an adhoc feature added by Microsoft, that was then copied by others. Assuming the new features do not always have to be created in the market first, then please add my request to your consideration in what ever WG is appropriate. I notice many of you are members of multiple WGs, so you know better than I do, where to introduce this feature request to the record. Please reference my original post from the archive: http://www.ietf.org/mail-archive/web/http-state/current/msg00927.html >> 2) 5.3. Storage Model. Please recommend that HTTPS cookies be stored >> encrypted (it can't hurt): >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=588704 > > This is something that could be added to the security considerations > section in some fashion, if the WG agrees. That would be most appreciated. > Surely it _can_ hurt, for the cases when a second program would > like to read the cookie storage from a first program. That is an egregarious security hole. My request was for HTTPS cookies, not for HTTP cookies. > It is for example a rather common way to continue a "session" that > was begun with one HTTP client to complete it with a second one. I have no idea why you think a secure HTTPS client would want to open such a security hole? > But if the cookies are meant to be stored on a medium where no others > should be able to pick up the cookies from, That is what users have been screaming for 11 years since 1999, why are we ignoring them for 11 years. See proof at this link: https://bugzilla.mozilla.org/show_bug.cgi?id=19184 > I figure you could use encryption or other means your system, OS and > environment allow. Do we really need to say that in a protocol spec? What is wrong with recommending what users assume is true for secure websites? Do you realize that most users assume you are not making their information unencrypted for viruses? They expect that we technical people are taking care of them. I did not request the use of the word MUST nor SHOULD. I just asked that we make a recommendation to encrypt if possible, unless the user has explicitly opted out. >> 3) 6.2. Application Programming Interfaces. Please change "Instead of" >> to "In addition to". Never should semantic APIs be a restriction of the >> general capability. Please! > > You're apparently referring to 2nd para of sec 6.2. I'm personally fine > with the wording and sentiment of the statements there. again WG would > have to consider any changes. Above you wrote that you are only documenting the way the web is now. Now you are saying it is ok to insist that browsers replace the set-cookie function with one that will not work with existing websites. I have no problem with adding new APIs and see if they become popular, but I do have BIG problem with insisting that browsers remove the general functionality. How will I store what I want to store in a cookie, if the semantic functions provided are insufficient, and you have removed the general string way? >> 4) 8.7. Reliance on DNS. If browsers properly implement per website >> self-signed certificates: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=588704#c47 > > The reply to your point (1) applies here too. > We document the current protocol and practises here. That does not > currently include "per website self-signed certificates". Why does Daniel Veditz of Mozilla/Firefox say it is a standard feature? https://bugzilla.mozilla.org/show_bug.cgi?id=588704#c46 Thanks in advance for your consideration.
- Re: [http-state] IETF-wide Last Call for -httpsta… Shelby Moore
- [http-state] IETF-wide Last Call for -httpstate-c… =JeffH
- Re: [http-state] IETF-wide Last Call for -httpsta… Shelby Moore
- Re: [http-state] IETF-wide Last Call for -httpsta… Daniel Stenberg
- Re: [http-state] IETF-wide Last Call for -httpsta… =JeffH
- Re: [http-state] IETF-wide Last Call for -httpsta… Daniel Stenberg
- Re: [http-state] IETF-wide Last Call for -httpsta… Shelby Moore
- Re: [http-state] IETF-wide Last Call for -httpsta… Bjoern Hoehrmann
- Re: [http-state] IETF-wide Last Call for -httpsta… Adam Barth
- Re: [http-state] IETF-wide Last Call for -httpsta… Bjoern Hoehrmann
- Re: [http-state] IETF-wide Last Call for -httpsta… Shelby Moore
- Re: [http-state] IETF-wide Last Call for -httpsta… Peter Saint-Andre
- Re: [http-state] IETF-wide Last Call for -httpsta… Daniel Stenberg
- Re: [http-state] IETF-wide Last Call for -httpsta… Adam Barth
- Re: [http-state] IETF-wide Last Call for -httpsta… =JeffH
- Re: [http-state] IETF-wide Last Call for -httpsta… Daniel Stenberg
- Re: [http-state] IETF-wide Last Call for -httpsta… Bjoern Hoehrmann