Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
Maciej Stachowiak <mjs@apple.com> Wed, 24 February 2010 08:30 UTC
Return-Path: <mjs@apple.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 36D2F3A79B5 for <http-state@core3.amsl.com>; Wed, 24 Feb 2010 00:30:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.901
X-Spam-Level:
X-Spam-Status: No, score=-106.901 tagged_above=-999 required=5 tests=[AWL=-0.303, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id od2cQD8LDILL for <http-state@core3.amsl.com>; Wed, 24 Feb 2010 00:30:11 -0800 (PST)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 4431D3A7038 for <http-state@ietf.org>; Wed, 24 Feb 2010 00:30:11 -0800 (PST)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out3.apple.com (Postfix) with ESMTP id 2B1D9864FE8B for <http-state@ietf.org>; Wed, 24 Feb 2010 00:32:17 -0800 (PST)
X-AuditID: 11807134-b7cd9ae000001002-55-4b84e410256b
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay14.apple.com (Apple SCV relay) with SMTP id AF.B2.04098.014E48B4; Wed, 24 Feb 2010 00:32:17 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_p6Qmkaec0lMft2zx9dZvOA)"
Received: from [10.0.1.5] (c-69-181-42-237.hsd1.ca.comcast.net [69.181.42.237]) by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KYC00LLX7PS7O80@elliott.apple.com> for http-state@ietf.org; Wed, 24 Feb 2010 00:32:16 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com>
Date: Wed, 24 Feb 2010 00:32:15 -0800
Message-id: <CE6C502B-C18D-4C3C-9312-AD4764B7857C@apple.com>
References: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 08:30:12 -0000
On Feb 23, 2010, at 6:55 PM, Adam Barth wrote: > On Tue, Feb 23, 2010 at 9:10 AM, Anne van Kesteren > <annevk@opera.com> wrote: > >> There's no suitable replacement for cookies >> available currently so giving this advice seems a bit premature, >> but maybe I >> misunderstand what it says. > > Hopefully we'll create a suitable replacement in phase two. If not, > necessity is the mother of invention... I look forward to the more exciting XHTML2 phase of our Working Group, but perhaps we should wait until we actually have a good replacement before we tell people to stop using what works today. > On Tue, Feb 23, 2010 at 9:15 AM, Blake Frantz > <bfrantz@cisecurity.org> wrote: >> Similarly, the top of section '7.1 General Recommendations' states: >> >> "The cookie protocol is NOT RECOMMENDED for new applications". >> >> This statement may require the same clarification as the one noted >> by Anne. > > What clarification do you have in mind? Keep in mind that we're > writing this document for the long term. Just because we don't have > an alternative in mind doesn't mean we won't have better options in > the future. > > Would you really recommend that new applications of HTTP use cookies? Doesn't "NOT RECOMMENDED" effectively give a SHOULD-level requirement not to use any of the spec we are developing, and furthermore one that is likely to be almost totally ignored? That seems like two good reasons to omit that statement, at least if it is framed as a conformance statement. Regards, Maciej
- [http-state] Whether to recommend the cookie prot… Adam Barth
- Re: [http-state] Whether to recommend the cookie … Blake Frantz
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Julian Reschke
- Re: [http-state] Whether to recommend the cookie … Maciej Stachowiak
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … David Morris
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Adam Barth
- Re: [http-state] Whether to recommend the cookie … Peter Saint-Andre
- Re: [http-state] Whether to recommend the cookie … Achim Hoffmann