[http-state] Welcome to http-state

Bil Corry <bil@corry.biz> Fri, 09 January 2009 18:08 UTC

Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [] (localhost []) by core3.amsl.com (Postfix) with ESMTP id 9124E3A699E; Fri, 9 Jan 2009 10:08:47 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 9316C3A687D for <http-state@core3.amsl.com>; Fri, 9 Jan 2009 10:08:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.012
X-Spam-Status: No, score=-6.012 tagged_above=-999 required=5 tests=[AWL=-4.277, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id LSeUOodcII-I for <http-state@core3.amsl.com>; Fri, 9 Jan 2009 10:08:45 -0800 (PST)
Received: from mail.mindio.com (app1.bc.anu.net []) by core3.amsl.com (Postfix) with ESMTP id 01C873A699E for <http-state@ietf.org>; Fri, 9 Jan 2009 10:08:41 -0800 (PST)
Received: from [] (c-98-206-56-182.hsd1.in.comcast.net []) by mail.mindio.com (Postfix) with ESMTP id D7CA219C238 for <http-state@ietf.org>; Fri, 9 Jan 2009 12:08:25 -0600 (CST)
Message-ID: <49679299.6060703@corry.biz>
Date: Fri, 09 Jan 2009 12:08:25 -0600
From: Bil Corry <bil@corry.biz>
User-Agent: Thunderbird (Windows/20081209)
MIME-Version: 1.0
To: "http-state@ietf.org" <http-state@ietf.org>
X-Enigmail-Version: 0.95.7
Subject: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org

It appears the subscriptions have subsided, so thank you to everyone who has joined so far.

== First, some background history == 

Some time ago on OWASP's Intrinsic Security list, I brought up the issue of HTTPOnly not being consistently implemented (or lacking implementation altogether) across the major browsers, based mostly on OWASP's HTTPOnly resource page:


Jim Manico responded that he was actively promoting HTTPOnly implementation to various browsers and welcomed help to do more.  In that conversation, we agreed that a uniform specification would probably be beneficial for the browser vendors and we started a group to do so.  In promoting the group across various lists, I consistently received feedback that *cookies* needed a specification, and why were we bothering with HTTPOnly.  This group at IETF is the result of our decision to take on the entire cookie spec, not just HTTPOnly.

== Goal for this group ==

Ultimately, the purpose of this group is to create an updated HTTP State Management Mechanism RFC (aka cookies) that will supersede the Netscape spec, RFCs 2109, 2964, 2965 then add in real-world usage (e.g. HTTPOnly), and possibly add in additional features and possibly merge in draft-broyer-http-cookie-auth-00.txt and draft-pettersen-cookie-v2-03.txt.

I'm assuming an update to bcp44 is probably needed as well, but truthfully I haven't looked at it.

Did I miss anything relevant to creating an update cookie RFC?

== Creating a Working Group ==

In order to create a RFC, we need a Working Group.  In order to create a Working Group, we need enough interested people to join a BOF at an IETF meeting and to volunteer to help run the Working Group:


I'll be attending the next IETF meeting and don't mind taking on the role of Working Group Chair, but I will need others to also attend, lend support and volunteer for the various responsibilities required.

The next IETF meeting is March 22-27, 2009 in San Francisco:


If you will be attending, please let me know.  I'll approach Lisa Dusseault about having a BOF at the next IETF meeting and would like to give her an idea of how many people are already interested in it.

== Initial first steps ==

While we work on forming a Working Group, we can start the actual RFC process now by working on creating an Internet Draft:


There are a few ways to get started; I'm thinking that taking an inventory of what is wrong or missing from RFC2109 as compared to the "real world" may be a good place to start.


- Bil

http-state mailing list