Re: [http-state] IETF-wide Last Call for -httpstate-cookie-10 ?

=JeffH <Jeff.Hodges@KingsMountain.com> Thu, 26 August 2010 17:30 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3ABC3A6A94 for <http-state@core3.amsl.com>; Thu, 26 Aug 2010 10:30:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.931
X-Spam-Level:
X-Spam-Status: No, score=-101.931 tagged_above=-999 required=5 tests=[AWL=0.334, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P1vjzDEvj0Hd for <http-state@core3.amsl.com>; Thu, 26 Aug 2010 10:30:55 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id 5C2F83A68CD for <http-state@ietf.org>; Thu, 26 Aug 2010 10:30:55 -0700 (PDT)
Received: (qmail 946 invoked by uid 0); 26 Aug 2010 17:31:27 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 26 Aug 2010 17:31:27 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=DVWjQZR+5WA81lsuJPGHMS5RT6QuRqID7YTiAURQpFBDPoVyB/hKnReQz938j/wCkCbnLyKktXqgtLWLx3BEEFqo4Aw3HKDASin3YXRmayzTQoMMTovnzwDsb56Z2ufx;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.205]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OogIR-00032X-N2 for http-state@ietf.org; Thu, 26 Aug 2010 11:31:27 -0600
Message-ID: <4C76A4EE.6010604@KingsMountain.com>
Date: Thu, 26 Aug 2010 10:31:26 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF HTTP State WG <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [http-state] IETF-wide Last Call for -httpstate-cookie-10 ?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2010 17:30:56 -0000

 > Respectfully as follows...
 >
 > http://www.ietf.org/mail-archive/web/http-state/current/msg00925.html
 >
 >> There've been no comments wrt -10 on the list since then.[snip]
 >>
 >>http://tools.ietf.org/rfcdiff?url2=draft-ietf-httpstate-cookie-10.txt
 >>
 >> Are there any objections to progressing -httpstate-cookie-10 to
 >> IETF-wide last call?
 >
 > I do not know where to submit objections, so I will submit them here and
 > please make sure they get relayed

yes this is the correct list to use, thanks for your comments.


 > 1) 4.1.2.6.  The HttpOnly Attribute.  I propose that we need also NoHttp
 > Attribute, which would be the inverse case of HttpOnly.

Please note that this spec, draft-ietf-httpstate-cookie, is specifically in 
regards to how cookies are implemented/processed on the Web /today/. It is 
explicitly /not/ about introducing any new functionality into the present 
model. This should be clear from reading -httpstate-cookie (the spec).



 > 2) 5.3.  Storage Model. Please recommend that HTTPS cookies be stored
 > encrypted (it can't hurt):
 >
 > https://bugzilla.mozilla.org/show_bug.cgi?id=588704

This is something that could be added to the security considerations section in 
some fashion, if the WG agrees.


 > 3) 6.2.  Application Programming Interfaces.  Please change "Instead of"
 > to "In addition to".  Never should semantic APIs be a restriction of the
 > general capability. Please!

You're apparently referring to 2nd para of sec 6.2. I'm personally fine with 
the wording and sentiment of the statements there. again WG would have to 
consider any changes.


 > 4) 8.7.  Reliance on DNS. If browsers properly implement per website
 > self-signed certificates:
 >
 > https://bugzilla.mozilla.org/show_bug.cgi?id=588704#c47

The reply to your point (1) applies here too.

thanks,

=JeffH