Re: [http-state] Welcome to http-state
Dan Winship <dan.winship@gmail.com> Tue, 13 January 2009 17:12 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DFDD28C13F; Tue, 13 Jan 2009 09:12:17 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B6E03A6912 for <http-state@core3.amsl.com>; Tue, 13 Jan 2009 09:12:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAWJxCwc1cUK for <http-state@core3.amsl.com>; Tue, 13 Jan 2009 09:12:15 -0800 (PST)
Received: from mysterion.org (mysterion.org [69.25.196.35]) by core3.amsl.com (Postfix) with ESMTP id 34EA43A6A16 for <http-state@ietf.org>; Tue, 13 Jan 2009 09:12:15 -0800 (PST)
Received: from x61.home.mysterion.org (lan-nat-pool-bos.redhat.com [66.187.234.200]) by mysterion.org (Postfix) with ESMTPA id 9E5C48028D for <http-state@ietf.org>; Tue, 13 Jan 2009 12:11:58 -0500 (EST)
Message-ID: <496CCB42.4020403@gmail.com>
Date: Tue, 13 Jan 2009 12:11:30 -0500
From: Dan Winship <dan.winship@gmail.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
References: <49679299.6060703@corry.biz> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan> <7789133a0901121508y51bd1d87g2e89846794c8dcf7@mail.gmail.com>
In-Reply-To: <7789133a0901121508y51bd1d87g2e89846794c8dcf7@mail.gmail.com>
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
Adam Barth wrote: > I'm not an expert on what is or is not in scope for this working > group We're not actually a working group yet, so we don't have a charter, so nothing is specifically in or out of scope yet. The deliverable that some people want is an Informational RFC explaining how cookies are actually used *right now* (as opposed to "how we wish they worked"), with notes on areas of incompatibility, and discussion of known security problems. If we want to actually make cookies better, then we need to be careful to not just create yet-another-improved-cookie-spec-that-everyone- ignores (as Daniel Stenberg already noted). So there are two kinds of things we can do: * Find ways to make cookies better that don't require web developers to change their behavior. (Eg, draft-pettersen-dns-cookie-validate and draft-pettersen-subtld-structure.) * Find ways to make cookies better that we can somehow force/trick/ bribe web developers into using. One way to make the new spec compelling might be to add some feature that would be needed by some other useful spec like Cookie-based-HTTP-auth (draft-broyer-http-cookie-auth, currently being discussed on the ietf-http-auth list). Or to have new cookies integrate with HTML5 in some exciting way that old cookies wouldn't be able to. Likewise, even though it would be cleaner to scrap Set-Cookie and replace it with a new header a la Set-Cookie2, developers are going to want backward-compatibility, and don't want to have to set each cookie twice (for bandwidth reasons), so the best solution for new features may be to add new attributes to Set-Cookie (keeping in mind that old implementations would still see the cookies but would ignore the new attributes). -- Dan _______________________________________________ http-state mailing list http-state@ietf.org https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry