Re: [http-state] Ticket 6: host-only cookies

Lisa Dusseault <lisa.dusseault@gmail.com> Fri, 29 January 2010 20:09 UTC

Return-Path: <lisa.dusseault@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2BBE3A67DB for <http-state@core3.amsl.com>; Fri, 29 Jan 2010 12:09:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sKHYww5aplO1 for <http-state@core3.amsl.com>; Fri, 29 Jan 2010 12:09:36 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id EA7863A67DA for <http-state@ietf.org>; Fri, 29 Jan 2010 12:09:35 -0800 (PST)
Received: by vws1 with SMTP id 1so649205vws.31 for <http-state@ietf.org>; Fri, 29 Jan 2010 12:09:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=WIQ+nJpNCQ4Rsu91jWQmfvxi5lIuQlszOxRbtHzaXAw=; b=Ndejc85014tOhMWmvLFE4J6U+6NsLZwNIRiRKbd7p87r3slcx/F6/OP92w6DTjBIBO AEePIVmGLOqpKdjPVq2oSZTl8m0koXwGEoKZWHM88LOscGSSqasHNO5M10IujQCq3fiZ wVAhax6Uso919LRcg4VejRC94Xr8UcWW+xj/4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=oNQdHgCB8cMXBKmwK1RL8wZk7nirBuaXEO0pGZS4NR5VxwveaxI3Tl2BAVSaTBILaF l7PlslxcDQrgO6vLu4baSQY+hkjWRuo3X07Voz3oGsUUsn5Q3Qm2AQvuozPVCnaS+D39 GyDtyl9QL5YT/ODYiMXIPpnolZjBLrNvKsQVg=
MIME-Version: 1.0
Received: by 10.220.4.19 with SMTP id 19mr1202183vcp.86.1264795796336; Fri, 29 Jan 2010 12:09:56 -0800 (PST)
In-Reply-To: <6AE67277-5B09-4784-ABC9-0B9228201DDE@gbiv.com>
References: <7789133a1001220050m56cc438x35099b7972639331@mail.gmail.com> <alpine.DEB.2.00.1001220957240.9467@tvnag.unkk.fr> <33259CFA-E50A-46D7-A315-5D68ACB69CDB@apple.com> <2C56E4FA-8BE2-479A-AA53-E64DC3A907E2@gbiv.com> <7789133a1001281353k3498690dq7d60d52a19eb1e7e@mail.gmail.com> <6AE67277-5B09-4784-ABC9-0B9228201DDE@gbiv.com>
Date: Fri, 29 Jan 2010 12:09:56 -0800
Message-ID: <ca722a9e1001291209x75f25c77v8b221fbc1bc1a62a@mail.gmail.com>
From: Lisa Dusseault <lisa.dusseault@gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: http-state <http-state@ietf.org>, Daniel Stenberg <daniel@haxx.se>
Subject: Re: [http-state] Ticket 6: host-only cookies
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2010 20:09:36 -0000

On Thu, Jan 28, 2010 at 2:12 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> This is an IETF spec, so it will obey IETF norms, and I can tell you
> that it won't pass IESG review with a non-secure alternative being
> allowed as part of the proposed standard.

IESG review has gotten more flexible in some ways in the four years
I've been on the IESG.  I would certainly expect a document to pass
IESG review (and if I saw any counter-arguments, would expect
excellent and well-informed arguments against the document) if
 - it clearly stated it was documenting existing behavior and
explained in descriptive terms how to interoperate with it
 - it stated that supporting the non-secure alternative in browsers
was NOT RECOMMENDED for best user experience
 - it stated that relying on the non-secure alternative in sites was
deprecated and NOT RECOMMENDED

I'm not saying that's the best approach for this particular issue, but
I'd rather debate what is the best approach for this particular issue
first, before worrying about what some future review group might or
might not do.

Lisa