Re: [http-state] Welcome to http-state
Dan Winship <dan.winship@gmail.com> Tue, 13 January 2009 17:12 UTC
Return-Path: <http-state-bounces@ietf.org>
X-Original-To: http-state-archive@ietf.org
Delivered-To: ietfarch-http-state-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DFDD28C13F; Tue, 13 Jan 2009 09:12:17 -0800 (PST)
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B6E03A6912 for <http-state@core3.amsl.com>; Tue, 13 Jan 2009 09:12:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAWJxCwc1cUK for <http-state@core3.amsl.com>; Tue, 13 Jan 2009 09:12:15 -0800 (PST)
Received: from mysterion.org (mysterion.org [69.25.196.35]) by core3.amsl.com (Postfix) with ESMTP id 34EA43A6A16 for <http-state@ietf.org>; Tue, 13 Jan 2009 09:12:15 -0800 (PST)
Received: from x61.home.mysterion.org (lan-nat-pool-bos.redhat.com [66.187.234.200]) by mysterion.org (Postfix) with ESMTPA id 9E5C48028D for <http-state@ietf.org>; Tue, 13 Jan 2009 12:11:58 -0500 (EST)
Message-ID: <496CCB42.4020403@gmail.com>
Date: Tue, 13 Jan 2009 12:11:30 -0500
From: Dan Winship <dan.winship@gmail.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
References: <49679299.6060703@corry.biz> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <7789133a0901121159u1da01de8w77edd52913857358@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <7789133a0901121359p635972bod78e7a46a29c1a8b@mail.gmail.com> <120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan> <7789133a0901121508y51bd1d87g2e89846794c8dcf7@mail.gmail.com>
In-Reply-To: <7789133a0901121508y51bd1d87g2e89846794c8dcf7@mail.gmail.com>
Subject: Re: [http-state] Welcome to http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: http-state-bounces@ietf.org
Errors-To: http-state-bounces@ietf.org
Adam Barth wrote:
> I'm not an expert on what is or is not in scope for this working
> group
We're not actually a working group yet, so we don't have a charter, so
nothing is specifically in or out of scope yet.
The deliverable that some people want is an Informational RFC explaining
how cookies are actually used *right now* (as opposed to "how we wish
they worked"), with notes on areas of incompatibility, and discussion of
known security problems.
If we want to actually make cookies better, then we need to be careful
to not just create yet-another-improved-cookie-spec-that-everyone-
ignores (as Daniel Stenberg already noted). So there are two kinds of
things we can do:
* Find ways to make cookies better that don't require web developers
to change their behavior. (Eg, draft-pettersen-dns-cookie-validate
and draft-pettersen-subtld-structure.)
* Find ways to make cookies better that we can somehow force/trick/
bribe web developers into using.
One way to make the new spec compelling might be to add some feature
that would be needed by some other useful spec like
Cookie-based-HTTP-auth (draft-broyer-http-cookie-auth, currently being
discussed on the ietf-http-auth list). Or to have new cookies integrate
with HTML5 in some exciting way that old cookies wouldn't be able to.
Likewise, even though it would be cleaner to scrap Set-Cookie and
replace it with a new header a la Set-Cookie2, developers are going to
want backward-compatibility, and don't want to have to set each cookie
twice (for bandwidth reasons), so the best solution for new features may
be to add new attributes to Set-Cookie (keeping in mind that old
implementations would still see the cookies but would ignore the new
attributes).
-- Dan
_______________________________________________
http-state mailing list
http-state@ietf.org
https://www.ietf.org/mailman/listinfo/http-state
- [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Bil Corry
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Daniel Stenberg
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Adam Barth
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Dan Winship
- Re: [http-state] Welcome to http-state Blake Frantz
- Re: [http-state] Welcome to http-state Bil Corry