Re: [http-state] I-D Action:draft-ietf-httpstate-cookie-03.txt

Achim Hoffmann <ah@securenet.de> Mon, 22 February 2010 18:10 UTC

Return-Path: <ah@securenet.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72B4C28C17B for <http-state@core3.amsl.com>; Mon, 22 Feb 2010 10:10:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.727
X-Spam-Level:
X-Spam-Status: No, score=-1.727 tagged_above=-999 required=5 tests=[AWL=0.522, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lhhm1Kbh1mFR for <http-state@core3.amsl.com>; Mon, 22 Feb 2010 10:10:11 -0800 (PST)
Received: from munich.securenet.de (munich.securenet.de [82.135.17.200]) by core3.amsl.com (Postfix) with ESMTP id 0432528C366 for <http-state@ietf.org>; Mon, 22 Feb 2010 10:10:04 -0800 (PST)
Received: from oxee.securenet.de (unknown [10.30.18.40]) by munich.securenet.de (Postfix) with ESMTP id ACCEB27194 for <http-state@ietf.org>; Mon, 22 Feb 2010 19:12:02 +0100 (CET)
Received: by oxee.securenet.de (Postfix, from userid 65534) id 8E706140242E; Mon, 22 Feb 2010 19:12:02 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by oxee.securenet.de (Postfix) with ESMTP id E7DBC140242E for <http-state@ietf.org>; Mon, 22 Feb 2010 19:12:01 +0100 (CET)
Received: from oxee.securenet.de ([127.0.0.1]) by localhost (oxee.securenet.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21919-05 for <http-state@ietf.org>; Mon, 22 Feb 2010 19:12:01 +0100 (CET)
Received: from nemo.home.ah (ah.vpn.securenet.de [172.16.18.33]) by oxee.securenet.de (Postfix) with ESMTP id 175B01402425 for <http-state@ietf.org>; Mon, 22 Feb 2010 19:12:00 +0100 (CET)
Message-ID: <4B82C8EE.8000107@securenet.de>
Date: Mon, 22 Feb 2010 19:11:58 +0100
From: Achim Hoffmann <ah@securenet.de>
User-Agent: who">cares?
MIME-Version: 1.0
To: http-state@ietf.org
References: <20100213080001.D07A03A73C7@core3.amsl.com>
In-Reply-To: <20100213080001.D07A03A73C7@core3.amsl.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Open-Xchange Express amavisd-new at oxee.securenet.de
Subject: Re: [http-state] I-D Action:draft-ietf-httpstate-cookie-03.txt
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2010 18:10:11 -0000

Simple question about the *dates" in this draft:

1) If I understand 5.1.1. Dates correctly, the format of the date is
   fixed and must be in GMT.
   IIRC the date format in RFC2616 allows more variants. Also the timezone
   may be different to GMT (see RFC2616, 19.3).

   So the definitions in this draft would brake old behaviours.
   (Though, from a security point of view, I'd prefer the draft definition:)

2) In 4.1.2. Semantics (third paragraph) we read:
	" .. by including an Expires attribute with a value in the past."
   This is a bit missleading unless all date formats are GMT (see 1) above).


Achim


> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the HTTP State Management Mechanism Working Group of the IETF.
> 
> 
> 	Title           : HTTP State Management Mechanism
> 	Author(s)       : A. Barth
> 	Filename        : draft-ietf-httpstate-cookie-03.txt
> 	Pages           : 29
> 	Date            : 2010-02-12
> 
> This document defines the HTTP Cookie and Set-Cookie headers.  These
> headers can be used by HTTP servers to store state on HTTP user
> agents, letting the servers maintain a stateful session over the
> mostly stateless HTTP protocol.  The cookie protocol has many
> historical infelicities and should be avoided for new applications of
> HTTP.
> 
> 
> NOTE: If you have suggestions for improving the draft, please send
> 
> email to http-state@ietf.org.  Suggestions with test cases are
> 
> especially appreciated.
> 
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-httpstate-cookie-03.txt
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> http-state mailing list
> http-state@ietf.org
> https://www.ietf.org/mailman/listinfo/http-state