Re: [http-state] http-state Digest, Vol 1, Issue 1
John Kemp <john@jkemp.net> Fri, 09 January 2009 20:35 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDCE428C11D; Fri, 9 Jan 2009 12:35:17 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB44B28C11D for <http-state@core3.amsl.com>; Fri, 9 Jan 2009 12:35:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.543
X-Spam-Level:
X-Spam-Status: No, score=-1.543 tagged_above=-999 required=5 tests=[AWL=0.578, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, SARE_URI_4_BIZ=0.144]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xsxOREUCwVe for <http-state@core3.amsl.com>; Fri, 9 Jan 2009 12:35:15 -0800 (PST)
Received: from outbound-mail-29.bluehost.com (outbound-mail-29.bluehost.com [69.89.17.211]) by core3.amsl.com (Postfix) with SMTP id C1F2228C118 for <http-state@ietf.org>; Fri, 9 Jan 2009 12:35:15 -0800 (PST)
Received: (qmail 3775 invoked by uid 0); 9 Jan 2009 20:35:03 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by outboundproxy2.bluehost.com with SMTP; 9 Jan 2009 20:35:03 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer:X-Identified-User; b=wrJNseZKnhtOq/Pqvq0hoTnKNTpuosGzlQioZiViHGnrGhrzhA67ojTW5d5BTymIWrGW4csJrrMSkfJku2lCqK70BzEQfSSrz3YiwNyRJZ496TU+lHci44nSCxsi0ONY;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=mztrcscn118.americas.nokia.com) by box320.bluehost.com with esmtpa (Exim 4.69) (envelope-from <john@jkemp.net>) id 1LLO4M-0004Ik-M9 for http-state@ietf.org; Fri, 09 Jan 2009 13:35:03 -0700
Message-Id: <56494B31-2F49-4805-A901-B9F6860591C1@jkemp.net>
From: John Kemp <john@jkemp.net>
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
In-Reply-To: <007701c97297$0875b610$19612230$@tapman@questconsultantsllc.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Fri, 09 Jan 2009 15:34:58 -0500
References: <mailman.51.1231531204.17652.http-state@ietf.org> <007701c97297$0875b610$19612230$@tapman@questconsultantsllc.com>
X-Mailer: Apple Mail (2.930.3)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Subject: Re: [http-state] http-state Digest, Vol 1, Issue 1
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
On Jan 9, 2009, at 3:15 PM, Micah Tapman wrote: > Speaking to the "browser" idea, and expanding on the libcurl comment > from > Daniel, I think we should consider changing the terminology to > something > like "client object" instead of "browser". I think you'd probably want to use 'user-agent', according to the definition from the HTTP 1.0 specification [1] , and which is already also used by RFC2109 [2] referencing [1]. > "The client which initiates a request. These are often browsers, > editors, spiders (web-traversing robots), or other end user tools." Regards, - johnk [1] http://www.w3.org/Protocols/HTTP/1.0/spec.html#Terminology [2] http://www.ietf.org/rfc/rfc2109.txt > > > Micah > > -----Original Message----- > From: http-state-bounces@ietf.org [mailto:http-state- > bounces@ietf.org] On > Behalf Of http-state-request@ietf.org > Sent: Friday, January 09, 2009 3:00 PM > To: http-state@ietf.org > Subject: http-state Digest, Vol 1, Issue 1 > > Send http-state mailing list submissions to > http-state@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/http-state > or, via email, send a message with subject or body 'help' to > http-state-request@ietf.org > > You can reach the person managing the list at > http-state-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of http-state digest..." > > > Today's Topics: > > 1. Welcome to http-state (Bil Corry) > 2. Re: Welcome to http-state (Daniel Stenberg) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 09 Jan 2009 12:08:25 -0600 > From: Bil Corry <bil@corry.biz> > Subject: [http-state] Welcome to http-state > To: "http-state@ietf.org" <http-state@ietf.org> > Message-ID: <49679299.6060703@corry.biz> > Content-Type: text/plain; charset=UTF-8 > > It appears the subscriptions have subsided, so thank you to everyone > who has > joined so far. > > == First, some background history == > > Some time ago on OWASP's Intrinsic Security list, I brought up the > issue of > HTTPOnly not being consistently implemented (or lacking implementation > altogether) across the major browsers, based mostly on OWASP's > HTTPOnly > resource page: > > http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly > > Jim Manico responded that he was actively promoting HTTPOnly > implementation > to various browsers and welcomed help to do more. In that > conversation, we > agreed that a uniform specification would probably be beneficial for > the > browser vendors and we started a group to do so. In promoting the > group > across various lists, I consistently received feedback that > *cookies* needed > a specification, and why were we bothering with HTTPOnly. This > group at > IETF is the result of our decision to take on the entire cookie > spec, not > just HTTPOnly. > > > > == Goal for this group == > > Ultimately, the purpose of this group is to create an updated HTTP > State > Management Mechanism RFC (aka cookies) that will supersede the > Netscape > spec, RFCs 2109, 2964, 2965 then add in real-world usage (e.g. > HTTPOnly), > and possibly add in additional features and possibly merge in > draft-broyer-http-cookie-auth-00.txt and draft-pettersen-cookie- > v2-03.txt. > > I'm assuming an update to bcp44 is probably needed as well, but > truthfully I > haven't looked at it. > > Did I miss anything relevant to creating an update cookie RFC? > > > > == Creating a Working Group == > > In order to create a RFC, we need a Working Group. In order to > create a > Working Group, we need enough interested people to join a BOF at an > IETF > meeting and to volunteer to help run the Working Group: > > http://www.ietf.org/tao.html#rfc.section.6 > > I'll be attending the next IETF meeting and don't mind taking on the > role of > Working Group Chair, but I will need others to also attend, lend > support and > volunteer for the various responsibilities required. > > The next IETF meeting is March 22-27, 2009 in San Francisco: > > http://www.ietf.org/meetings/74/ > > If you will be attending, please let me know. I'll approach Lisa > Dusseault > about having a BOF at the next IETF meeting and would like to give > her an > idea of how many people are already interested in it. > > > > == Initial first steps == > > While we work on forming a Working Group, we can start the actual RFC > process now by working on creating an Internet Draft: > > http://www.ietf.org/tao.html#rfc.section.8.1 > > There are a few ways to get started; I'm thinking that taking an > inventory > of what is wrong or missing from RFC2109 as compared to the "real > world" may > be a good place to start. > > Thoughts? > > > - Bil > > > > > > > > > ------------------------------ > > Message: 2 > Date: Fri, 9 Jan 2009 20:02:48 +0100 (CET) > From: Daniel Stenberg <daniel@haxx.se> > Subject: Re: [http-state] Welcome to http-state > To: Discuss HTTP State Management Mechanism <http-state@ietf.org> > Message-ID: <alpine.LRH.2.00.0901091958090.20014@yvahk3.pbagnpgbe.fr> > Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII > > On Fri, 9 Jan 2009, Bil Corry wrote: > >> http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly > > While not being a browser, libcurl is a HTTP library that supports > cookies > and > even HTTPOnly ones and it is used in browsers (and browser-like > applications) > at times. > >> There are a few ways to get started; I'm thinking that taking an >> inventory > >> of what is wrong or missing from RFC2109 as compared to the "real >> world" > may >> be a good place to start. > > It sounds like a fair way to get started, but RFC2109 is quite far > away from > > how cookies work in real life so the differences are going to be > substantial. > > -- > > / daniel.haxx.se > > > ------------------------------ > > _______________________________________________ > http-state mailing list > http-state@ietf.org > https://www.ietf.org/mailman/listinfo/http-state > > > End of http-state Digest, Vol 1, Issue 1 > **************************************** > _______________________________________________ > http-state mailing list > http-state@ietf.org > https://www.ietf.org/mailman/listinfo/http-state _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state