IETF Logo Mail Archive

Re: June Interim: call for topics

Mark Nottingham <mnot@mnot.net> Fri, 04 June 2021 04:25 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1AA83A27BF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 3 Jun 2021 21:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.749
X-Spam-Level:
X-Spam-Status: No, score=-7.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=rqQynxS/; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=kH1vMHwy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oWVxsLG0Lni for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 3 Jun 2021 21:24:57 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F09B3A27BB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 3 Jun 2021 21:24:56 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lp1Ku-0006Jf-6o for ietf-http-wg-dist@listhub.w3.org; Fri, 04 Jun 2021 04:21:35 +0000
Resent-Date: Fri, 04 Jun 2021 04:21:32 +0000
Resent-Message-Id: <E1lp1Ku-0006Jf-6o@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1lp1KW-000676-CG for ietf-http-wg@listhub.w3.org; Fri, 04 Jun 2021 04:21:16 +0000
Received: from out1-smtp.messagingengine.com ([66.111.4.25]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1lp1KL-0005yf-10 for ietf-http-wg@w3.org; Fri, 04 Jun 2021 04:21:05 +0000
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 1CF5E5C0192; Fri, 4 Jun 2021 00:20:44 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Fri, 04 Jun 2021 00:20:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=E fH7hRh7j7rOle7nkFKIojalcIqQ+HeGVpBV35yJboQ=; b=rqQynxS/nDP6E7Lza wHXlORzxXKBkQMRTuJ8jecJTJq9kjPHD1Ejm3tj5fRp+a8A6f0tOI3ehRW30+lDQ 5CbccLiuFrOV5VlxcBMJy6WKyRZFggvCRsBfIq0ZqIR6yVuSXOizhaOJVswQ8fQ4 yD95Yc98l3PdUu/psklHfNZthnf9xInxrXMTK+oH+LyZWgFi/NTC7QStStmwgQsq EFZoRJOTjPYrBgIrJMHWI2UXBd/0uHE8vsBi24AEqBvjIFa3sUBImhjFjO6bpqrY OcQBDvm4TRnOnSscd45Pn2M/9SOc8ZX4QOb+Z2lPpr3BEL5c2elieiDYNmMhGEyc plmRg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=EfH7hRh7j7rOle7nkFKIojalcIqQ+HeGVpBV35yJb oQ=; b=kH1vMHwyR1KmKDb4a3PZeAGXMNj/h458ikMeGUt58GEhoBADIndm7rQE1 0AjXfXn3LHb7IW7F24zJAdvYac3HyyjRmVAu1KG4BJD+DvB/QiCKy0WpulRDyXEG c80lc8ZptvDw/+c/ny+E6RYRh7nx2SNPldm+WXccvbWzgG59vRcp2A3VosD3InyK BMh5kpp/vOfdWql7Q0X307v0ZKr47uVWWB6al4cI7AXaoJb9rqiQ86gBv3DHBBPP B/XxQkTdPuJakow2TNHiqysXf9pnGZyRGQwWqGup3f8uop3hqPxLmKqw12skv6WU DBgibyqn8OFeqjEJyGWP0TgOPW8ZQ==
X-ME-Sender: <xms:Gqq5YK3kXLLwM8sKTUy3UyTJvDQB3cxssebvGwqqm9dWPoC9_fEOZg> <xme:Gqq5YNHncoQsQHbLy4GQIS3loxBD1C301-62XBwlQjOAt3lCWcsTHdk1m0R1_8J9C T6PjF-CVkatKVkk5w>
X-ME-Received: <xmr:Gqq5YC7SPovUBKQJa_cABRrvVXLde2whR-t01FAT7cNvof-HULXdcN42Zb6Rn5nVAj0TtQyxksjWsbyOKIa4z_hIcxyLZC2-rzHakh6CwB_Hw1JhgB1LiuHV>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfedttddgjeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpegtggfuhfgjfffgkfhfvffosehtqh hmtdhhtddvnecuhfhrohhmpeforghrkhcupfhothhtihhnghhhrghmuceomhhnohhtsehm nhhothdrnhgvtheqnecuggftrfgrthhtvghrnhepjeeileevfeeutefhfeefffetgeevge ffhfefleduvdefveeileehvdeuveduvedvnecuffhomhgrihhnpeifihgtghdrihhopdhi vghtfhdrohhrghdpmhhnohhtrdhnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:Gqq5YL094KWx9KYaqSt91Sii_HVnx8tokpixLOO_YrYZej4iXb7ggA> <xmx:Gqq5YNHbcSTeDDvg2AnlGIVbmifvNLtcJQBcbjo-pOi4VJ2gBw1eZA> <xmx:Gqq5YE_6ijM0NyGKKFsrQab7na1X45kIr2IErDhI6muhk7QBW4sLvw> <xmx:HKq5YNC6dBp_ueM0pd_qp1aJgFrki8GL9W403IpKazqYSNYmiVK2ig>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 4 Jun 2021 00:20:41 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <3cdc71e9-70a1-1ca9-39f3-9319c1ae291f@ztk-rp.eu>
Date: Fri, 04 Jun 2021 14:20:36 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <44E80419-7895-49C7-9017-F55DF3FBAEA7@mnot.net>
References: <D3DECA17-1574-4EC7-8B21-97F2EB042276@mnot.net> <082f23bc-ea78-2f95-4c78-4f9f88d6c47d@ztk-rp.eu> <CADYDTCAnCsQeP+8umkqTQCVqa3NhJ5+4QPZMffGWPXrF7_FB4A@mail.gmail.com> <3cdc71e9-70a1-1ca9-39f3-9319c1ae291f@ztk-rp.eu>
To: Rafal Pietrak <cookie.rp@ztk-rp.eu>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Received-SPF: pass client-ip=66.111.4.25; envelope-from=mnot@mnot.net; helo=out1-smtp.messagingengine.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mnot@mnot.net domain=mnot.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mnot@mnot.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1lp1KL-0005yf-10 09fde493893018d72b019285ca130d88
X-Original-To: ietf-http-wg@w3.org
Subject: Re: June Interim: call for topics
Archived-At: <https://www.w3.org/mid/44E80419-7895-49C7-9017-F55DF3FBAEA7@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38849
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Rafal,

First, I'll address your question about presenting in the meeting. Generally -- and especially for cookie modifications -- we like to see on-list interest before devoting meeting time to a topic.  In the IETF, mailing lists are the primary mechanism for discussion, not meetings. So please continue to discuss this on the list; if we get to a point where meeting time is necessary to make progress, we'll schedule it.
 
Now, regarding your proposal -- As I understand it, you want to authenticate users on the server side in a way that's limited to a per-top level browsing context (e.g., window or tab). Cookies are not adequate for that purpose because servers can't distinguish cookies from two different browsing contexts in the same browser. HTML session state isn't adequate because it can't modify requests to the server (unless it does so by modifying the URL, which is clunky and arguably unreasonable).

Is that about right?

If so, I can see why you're proposing a change to cookies. However, be aware that cookies are a very widely-deployed technology with significant impact on privacy, security, and interoperability. The only way to make a change to them is to convince implementers (primarily, browsers) that the use case is so compelling that it overcomes the risks and costs of implementing it. Furthermore, to make it interoperable, you need to convince all of the browser engines to do so, and to use it, you need to wait until enough users update to the browser versions that implement it (an aspect that's more tricky because you seem to want to rely on support for a new feature to deliver some security properties that are important to you). 

In other words, it's not impossible to introduce a change like this, but it's not easy, at all. As Dan points out, you're going to need to convince people. I'd suggest that you focus on stating the requirements that you have as clearly as possible, establishing that those requirements are shared by others, and showing that they can't be met by existing approaches. The exact specification text doesn't matter very much at this stage (and may actually distract from the core issues you want to address).

This topic is suitable for this mailing list, but if there isn't more interest demonstrated here (and folks, please chime in if you have thoughts!), you might try posting about what you're trying to do on the WICG Discourse.[1] That venue is watched by a number of folks who work for browsers across the stack, and their input might help refine your proposal.

Cheers,


P.S. Did you look at using a ServiceWorker to add authentication credentials to requests, based upon the client.id of the FetchEvent? I haven't tried this, but it looks like it might be a fruitful direction, if I understand your use case correctly.

1. https://discourse.wicg.io



> On 4 Jun 2021, at 3:37 am, Rafal Pietrak <cookie.rp@ztk-rp.eu> wrote:
> 
> Hello Daniel and Everybody,
> 
> W dniu 21.05.2021 o 23:36, Daniel Veditz pisze:
>> On Fri, May 21, 2021 at 8:03 AM Rafal Pietrak <cookie.rp@ztk-rp.eu
>> <mailto:cookie.rp@ztk-rp.eu>> wrote:
>> 
>>    If possible, I'd appreciate a couple of minutes for my cookies radius
>>    proposal
>>    (https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/
>>    <https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/>)
>> 
>> 
>> Mark's answer[1] to another recent cookie proposal applies here too. For
> 
> I think, I've followed those guidelines from the very beginning:
> 1. I've drafted my proposal
> 2. I've tried to get WG attention on this list.
> 
> Should there be anything else for me to do, pls advise.
> 
>> now the group is only considering cookie proposals as part of
>> RFC6265bis. This is on the agenda for this meeting but your proposal
>> does not yet have the support to be incorporated into it.
> 
> OK.
> 
> Although I'm responding so late, because I've tried to work my way out
> into the RFC6265bis, but that proved to be more difficult then I've
> initially expected, and while I haven't received much response to my
> proposal, I started to feel, that even if my proposal gets through into
> the RFC6265bis, It'll be in an entirely different form, that I currently
> imagine. So the work of merging my draft into RFC6265bis would be a
> complete waste.
> 
> For the time being I'd rather assume, that discussion around words in my
> draft-01 could be more up-to-the-point, then discussion if-where-how to
> incorporate it within RFC6265bis.
> 
> So, I'd appreciate if I could have a couple of minutes during the June
> meeting for cookie-radius presentation.
> 
> [-----------]
>> This IS the group for the topic, and anywhere else you try is likely to
>> bounce you back here. What you really need to do is drum up support for
>> this. Are there web sites that want to use this functionality enough to
>> change their code to use it? Are there client implementers fired up to
>> support Radius (browsers of course, but more than just browsers)? Is
>> there only support for part of it, and if so could that be solved in a
>> different way?
> 
> Different way? NO.
> 
> I tried all other approaches, may be I miss knowledge and imagination,
> but I couldn't find any way joggling HTTP/cookies/Local/session-store,
> that could possibly substitute security token as-part-of-URL ... keeping
> the functionality of URL: different TAB -> differet URL.
> 
> If there is any, I'll be happy to walk away with it and forget the
> "readius".
> 
>> 
>> My own prejudice is that I would never want "World" because I don't
>> trust sharing my cookies with all those other unknown apps. The
>> distinction between Tabs and Windows is lost on me because in at least
>> some browsers you can drag tabs or groups of tabs from window to window.
>> "Viewport" as a stricter definition of how "session" is often
>> interpreted by browsers might be interesting, and better backwards
>> compatibility than simply redefining/clarifying the meaning of a session
>> cookie.  For some uses, like banks, the existing clear-site-data feature
>> might be good enough, so you'll need to sell folks on why it isn't.
> 
> I can elaborate, But basically my design follows this basic principle
> line of logic:
> 1. a change is NECESARY -> current cookies (or any other auth mechanism)
> don't provide URL-like separation of security contexts between separate
> viewports.
> 2. So. The proposal does introduce that, keeping the definition as
> minimal as possible to provide required missing functionality
> 3. then I turn back, and check is by just a little extra that definition
> could provide more functionality (at close to none cost, like cost of
> 3-5 extra words to recognise)
> 4. if so, I put that extra into the design.
> 
> This is where "world" and "tabs" originated. The targeted functionality
> does not need them, but I wouldn't bet if those COULD be liked by other
> web designers. And those may come at no extra implementation cost.
> 
> To make it work, one must make sure, that those "extra" keywords are
> well defined. I  have made an effort to define them well, but It's
> possible I failed there. Still, I think it's worth spending time on
> making them defined "perfectly". But, should that couldn't be done, let
> them go away. They don't matter for the goal at hand.
> 
> If I was to make a hasty  "fine tuning" of my definitions here, I'd say:
> 1. "world" is basically for web-designers, that "want-to-grab-them-all"
> - meaning, no matter where user turns, he/she'll always returns those
> same cookies to the server - designers "may" like that. I'm not a judge
> here, I wouldn't need it, but I can foresee others would.
> 2. "tab" cookie is possibly ill-defined. I admit. It should probably be
> scratched at this point. I thought: when there is an "object", there
> should be a "token/distinction" for it. But you're probably right. There
> is no imaginable value in distinguishing windows from tabs.
> 
> So: would it be possible for me to have a quick (5min?) presentation of
> the cookie-radius proposal during the June meeting? (Cc: to Mark
> Nottingham, is to address this question to the chair of the group
> formally - I'm new here, and don't really know my way around, pls
> forgive if that's not appropriate)
> 
> Naturally, should there be anything I could improve in my draft, I'll be
> happy to pick up from discussion here on the list, before the meeting.
> 
> -R

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email