Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)

Peter Saint-Andre <stpeter@stpeter.im> Wed, 24 February 2010 04:02 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8399D28C14C for <http-state@core3.amsl.com>; Tue, 23 Feb 2010 20:02:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.586
X-Spam-Level:
X-Spam-Status: No, score=-2.586 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VDspz9ofdxdB for <http-state@core3.amsl.com>; Tue, 23 Feb 2010 20:02:43 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 65F1A3A8430 for <http-state@ietf.org>; Tue, 23 Feb 2010 20:02:43 -0800 (PST)
Received: from squire.local (dsl-140-211.dynamic-dsl.frii.net [216.17.140.211]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C2D2D40126 for <http-state@ietf.org>; Tue, 23 Feb 2010 21:04:47 -0700 (MST)
Message-ID: <4B84A55E.6000304@stpeter.im>
Date: Tue, 23 Feb 2010 21:04:46 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: http-state@ietf.org
References: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com>
In-Reply-To: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms010809080508030602070306"
Subject: Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 04:02:44 -0000

On 2/23/10 7:55 PM, Adam Barth wrote:
> On Tue, Feb 23, 2010 at 9:10 AM, Anne van Kesteren <annevk@opera.com> wrote:
>> On Tue, 23 Feb 2010 17:15:04 +0100, <Internet-Drafts@ietf.org> wrote:
>>> The cookie protocol has many
>>> historical infelicities and should be avoided for new applications of
>>> HTTP.
>>
>> What exactly does this mean?
> 
> It means that we don't think new applications of HTTP (e.g., SIP)
> should use the cookie protocol.  Cookies have caused significant
> security problems for the web.  For new applications, it's probably a
> good idea to use another state management mechanism.

Could you explain the sense in which SIP is an application of HTTP? I'm
trying to understand which of the following best captures what you are
saying:

1. Non-web technologies SHOULD NOT use cookies but instead SHOULD define
their own application-specific methods for state management.

2. Non-web technologies that define bindings to HTTP (e.g., the HTTP
binding for XMPP defined in [BOSH]) SHOULD NOT use cookies even within
such a binding but instead SHOULD define their own application-specific
methods for state management.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/