[http-state] WG Action: HTTP State Management Mechanism (httpstate)

IESG Secretary <iesg-secretary@ietf.org> Fri, 11 December 2009 20:30 UTC

Return-Path: <root@core3.amsl.com>
X-Original-To: http-state@ietf.org
Delivered-To: http-state@core3.amsl.com
Received: by core3.amsl.com (Postfix, from userid 0) id DDEDF3A68E0; Fri, 11 Dec 2009 12:30:01 -0800 (PST)
From: IESG Secretary <iesg-secretary@ietf.org>
To: ietf-announce@ietf.org
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
Message-Id: <20091211203001.DDEDF3A68E0@core3.amsl.com>
Date: Fri, 11 Dec 2009 12:30:01 -0800
Cc: http-state@ietf.org
Subject: [http-state] WG Action: HTTP State Management Mechanism (httpstate)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2009 20:30:02 -0000

A new IETF working group has been formed in the Applications Area.  For
additional information, please contact the Area Directors or the WG

HTTP State Management Mechanism (httpstate)
Current Status: Active Working Group

 * Jeff Hodges (Jeff.Hodges@kingsmountain.com)
 * Eran Hammer-Lahav (eran@hueniverse.com)

Applications Area Directors:
 * Lisa Dusseault (lisa.dusseault@gmail.com)
 * Alexey Melnikov (alexey.melnikov@isode.com) 

Applications Area Advisor:
 * Lisa Dusseault (lisa.dusseault@gmail.com)

Mailing Lists:
 General Discussion: http-state@ietf.org
 To Subscribe: https://www.ietf.org/mailman/listinfo/http-state
 Alternative Archive: http://groups.google.com/group/http-state

Description of Working Group:

The HTTP State Management Mechanism (aka Cookies) was originally
created by Netscape Communications in their informal Netscape cookie
specification ("cookie_spec.html"), from which formal specifications
RFC 2109 and RFC 2965 evolved. The formal specifications, however,
were never fully implemented in practice; RFC 2109, in addition to
cookie_spec.html, more closely resemble real-world implementations
than RFC 2965, even though RFC 2965 officially obsoletes the former.
Compounding the problem are undocumented features (such as HTTPOnly),
and varying behaviors among real-world implementations.

The working group will create a new RFC that:
 * obsoletes RFC 2109,
 * updates RFC 2965 to the extent it overlaps or voids RFC 2109, and
 * specifies Cookies as they are actually used in existing 
   implementations and deployments.

Where commonalities exist in the most widely used implementations, the
working group will specify the common behavior. Where differences exist 
among the most widely used implementations, the working group will 
document the variations and seek consensus to reduce variation by 
selecting among the most widely used variations.

The working group must not introduce any new syntax or new semantics
not already in common use.

The working group's specific deliverables are:
* A standards-track document that is suitable to supersede RFC 2109 
  (likely based on draft-abarth-cookie)
* An informational document cataloguing the differences between major

In doing so, the working group should consider:

* cookie_spec.html - Netscape Cookie Specification
* RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965)
* RFC 2964 - Use of HTTP State Management
* RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109)
* I-D - HTTP State Management Mechanism v2
* I-D - Cookie-based HTTP Authentication
* Widely Implemented - HTTPOnly
* Browser Security Handbook - Cookies
* HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol

Goals and Milestones:

Mar 2010 - Feature-complete Internet-Draft of Cookie specification
May 2010 - Feature-complete test suite of Cookie specification
Jun 2010 - Feature-complete draft of deviation description
Jul 2010 - First fully conforming implementation in a major browser
Sep 2010 - Last Call for Cookie specification
Oct 2010 - Last Call for deviation description
Dec 2010 - Second fully conforming implementation in a major browser
Jan 2011 - Submit Cookie specification to IESG for consideration as
           a Draft Standard
Jan 2011 - Submit deviation description to IESG for consideration as
Mar 2011 - Close or recharter