Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)

[Adam Barth <ietf@adambarth.com>]

On Wed, Feb 24, 2010 at 12:13 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> As others have stated, without a definition of "new protocol that operates
> over HTTP" this doesn't work. It's also problematic to put
> BCP14-requirements on spec writers :-)
>
> For instance, do you consider WebDAV or AtomPub "protocols that operate over
> HTTP"? If they
>
> Don't get me wrong; it would be good to discourage use of cookies, but this
> would need to come with more text, outlining the alternatives.

On Wed, Feb 24, 2010 at 12:32 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> I look forward to the more exciting XHTML2 phase of our Working Group, but
> perhaps we should wait until we actually have a good replacement before we
> tell people to stop using what works today.

:)

> Doesn't "NOT RECOMMENDED" effectively give a SHOULD-level requirement not to
> use any of the spec we are developing, and furthermore one that is likely to
> be almost totally ignored? That seems like two good reasons to omit that
> statement, at least if it is framed as a conformance statement.

Ok.  I've removed this requirement.  I've also changed the sentence in
the abstract to

[[
      The cookie protocol has many
      historical infelicities that degrade its security and privacy.
]]

How do folks feel about this related statement in Security Considerations:

[[
        <t>For applications that use the cookie protocol, servers SHOULD
        NOT rely upon cookies for security.</t>
]]

Adam