Re: [http-state] Comments on draft-ietf-httpstate-cookie-08

Adam Barth <ietf@adambarth.com> Sat, 29 May 2010 16:52 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E47433A6889 for <http-state@core3.amsl.com>; Sat, 29 May 2010 09:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.428
X-Spam-Level:
X-Spam-Status: No, score=-0.428 tagged_above=-999 required=5 tests=[AWL=-0.310, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBrAuZ6DCZDG for <http-state@core3.amsl.com>; Sat, 29 May 2010 09:52:17 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 0AD383A6884 for <http-state@ietf.org>; Sat, 29 May 2010 09:52:16 -0700 (PDT)
Received: by gwj19 with SMTP id 19so1826566gwj.31 for <http-state@ietf.org>; Sat, 29 May 2010 09:52:04 -0700 (PDT)
Received: by 10.101.105.39 with SMTP id h39mr2401905anm.19.1275151923947; Sat, 29 May 2010 09:52:03 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id t2sm19164147ani.8.2010.05.29.09.52.01 (version=SSLv3 cipher=RC4-MD5); Sat, 29 May 2010 09:52:02 -0700 (PDT)
Received: by gyh4 with SMTP id 4so1829143gyh.31 for <http-state@ietf.org>; Sat, 29 May 2010 09:52:01 -0700 (PDT)
Received: by 10.231.158.130 with SMTP id f2mr2578348ibx.40.1275151921106; Sat, 29 May 2010 09:52:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.60.4 with HTTP; Sat, 29 May 2010 09:51:41 -0700 (PDT)
In-Reply-To: <op.vdfzz8lovqd7e2@killashandra.oslo.osa>
References: <op.vdfzz8lovqd7e2@killashandra.oslo.osa>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 29 May 2010 09:51:41 -0700
Message-ID: <AANLkTikwyQZo-z_U_n3N8c05tY30gHUtIBqEpMg9O4oI@mail.gmail.com>
To: yngve@opera.com
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "http-state@ietf.org" <http-state@ietf.org>
Subject: Re: [http-state] Comments on draft-ietf-httpstate-cookie-08
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 May 2010 16:52:18 -0000

I'll reply to your full email in detail later, but another note:

On Fri, May 28, 2010 at 6:05 PM, Yngve Nysaeter Pettersen
<yngve@opera.com> wrote:
> IMO the specification should specifically comment on these issues, and
> preferably allow clients to discard cookies with quotes that does not match
> the quoted-string syntax,

User agents already have the option to discard any cookie for any
reason.  Adding this text to the spec would be redundant.

> as well as specifically tell servers not to use
> double quotes, except as quoted-string (if they absolutely want to break the
> spec's requirement of only using tokens).

Add this text to the spec would be redundant because the spec already
requires servers (at the SHOULD level) not to use quotes (either
double or single) at all.  More precisely, adding this text to the
spec would be a contrary-to-duty imperative, which, generally
speaking, are quite dubious logically.

> Perhaps one way to do that is to
> specifically say that the result of using quotes in this fashion is
> undefined?

Leaving things like this undefined hurts interoperability.

Adam