Return-Path: =?utf-8?q?=3Cietf-http-wg-request+bounce-httpbisa-archive-bis2j?= =?utf-8?q?uki=3Dlists=2Eie=40listhub=2Ew3=2Eorg=3E?= X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5DB3A0765 for ; Tue, 10 Mar 2020 11:03:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.75 X-Spam-Level: X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQnUsbsZk9ju for ; Tue, 10 Mar 2020 11:03:16 -0700 (PDT) Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51DA83A077A for ; Tue, 10 Mar 2020 11:03:13 -0700 (PDT) Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from ) id 1jBjAF-00020J-Gk for ietf-http-wg-dist@listhub.w3.org; Tue, 10 Mar 2020 17:59:35 +0000 Resent-Date: Tue, 10 Mar 2020 17:59:35 +0000 Resent-Message-Id: Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jBjA1-0001zE-2d for ietf-http-wg@listhub.w3.org; Tue, 10 Mar 2020 17:59:21 +0000 Received: from mail-lj1-x235.google.com ([2a00:1450:4864:20::235]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1jBj9z-0007bg-IH for ietf-http-wg@w3.org; Tue, 10 Mar 2020 17:59:20 +0000 Received: by mail-lj1-x235.google.com with SMTP id u12so11020400ljo.2 for ; Tue, 10 Mar 2020 10:59:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Rf7vruCfi/xoG9w9F9widssTEB2DmxIErF3WxufU9/c=; b=m8K8K31kOpvPdD63/shwQRxKauQ0GF045tWFr1nilhIze6lCOj59QnpsdoBdNtOqBW n5b/HUaSxkVyeW2tLwVQXtc7LUsGZ+1yyrxmzHXBaUjKo7GJ+ws26G56Zdh/TF3FZzoZ ljnE/AJpR6yELKQy7p1MRlf+RNosvKvGbO76EZRzlriwEA4hwsCKrUe5EJjs/JW9eMBQ HouukEMXakWMbZQYKEC2EO87Aklt8zp50zPiL1scihCSGmNnn2sV+pG9kWhrotlHbaqN foFmWi55v2+wE2cIcD61CS97+xr9LHxJ2iASS2bpITsy66n9PC0Mnd5LikMqh3VOpqXw VXHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Rf7vruCfi/xoG9w9F9widssTEB2DmxIErF3WxufU9/c=; b=dNsPtms5id/a6Grk0s1TweDSdfl64QvnbvysNmCleKO1OVLupsYw3qIgknAYkfYdyi Cu/gwoldV7lnZlDdCxhav0Iw20Q1+G1nwZVRB1VMVY/OOLGFQAJ4llHWGmUZYcnNzaG2 CdCeF0kNPDmaMM+iA9jlQwGTW/DUJToV4msujymp9iIxw1HbnY5Wh9Myu50oPNZ91MBB b22MZWUhx9I7cwna8ZS6GPtWjCxba1MKFaexXGRDyJ8ooOo/uKJzbjW91S4Z1uo5jhg6 YSnZzKBsyeJnNF0p012pzvUig10ILZ4MGonM2ICafR2NHtfYa5dfWXDf7eVl4uSQD70p rm9Q== X-Gm-Message-State: ANhLgQ2RSbynAg1yJoV9q+enwTJmCm4QofqtaA6X3GheT0xLAIxFBhn2 Ao6uXUeuJt3JSXyHJ6xFWLieHnLs+q1eQmCUVvm6bnmL9+s= X-Google-Smtp-Source: =?utf-8?q?ADFU+vtr2YuQnhtGuLsE5hUcxEQP+5HaqgErklEP35u1?= =?utf-8?q?svYiX3S3WXXmfB2aWCgMspiaD3G/faSuNw1hBQticdPFVfc=3D?= X-Received: by 2002:a2e:7c04:: with SMTP id x4mr13785292ljc.60.1583863147540; Tue, 10 Mar 2020 10:59:07 -0700 (PDT) MIME-Version: 1.0 References: <110aa602-33bd-4fbf-b3af-c5530d95fc44@www.fastmail.com> <579453b7-99cf-45cc-809c-c91f29207a1f@www.fastmail.com> In-Reply-To: <579453b7-99cf-45cc-809c-c91f29207a1f@www.fastmail.com> From: Spencer Dawkins at IETF Date: Tue, 10 Mar 2020 12:58:41 -0500 Message-ID: To: Martin Thomson Cc: HTTP Working Group Content-Type: multipart/alternative; boundary="0000000000004833e405a083e09b" Received-SPF: pass client-ip=2a00:1450:4864:20::235; envelope-from=spencerdawkins.ietf@gmail.com; helo=mail-lj1-x235.google.com X-W3C-Hub-Spam-Status: No, score=-4.1 X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1 X-W3C-Scan-Sig: titan.w3.org 1jBj9z-0007bg-IH fe1a0e81eaef0690361d16ac1a2b758e X-Original-To: ietf-http-wg@w3.org Subject: Re: Cookies and schemes. Archived-At: =?utf-8?q?=3Chttps=3A//www=2Ew3=2Eorg/mid/CAKKJt-eZBXn8ZS-QLzvo?= =?utf-8?q?fWYMprPr=3DQGxcZ84Ffx6hu=3D91Vmo=3DA=40mail=2Egmail=2Ecom=3E?= Resent-From: ietf-http-wg@w3.org X-Mailing-List: archive/latest/37435 X-Loop: ietf-http-wg@w3.org Resent-Sender: ietf-http-wg-request@w3.org Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: --0000000000004833e405a083e09b Content-Type: text/plain; charset="UTF-8" A minor comment on this exchange: On Tue, Mar 10, 2020 at 2:56 AM Martin Thomson wrote: > > 2. Perhaps we prefix the non-secure cookie names with `__Non-secure-` > > rather than minting a new header? > > That might work. It's new mechanisms, but not new-header-field new > mechanisms. More below. > I'm not an expert at this, but think I'm following the discussion in this thread. Is "Non-secure" the best term that could be used as a prefix? ISTM that part of the game here may be shaming people into not continuing to use this mechanism for months/years/ever, and "secure/non-secure" seems an awfully overloaded term. Could the prefix be more precise about what's at stake if you continue to use it? Random example unlikely to be the best suggestion: compare the shame of __Non-secure to the shame of __Trivially-Hijackable, if that's the case, and it's the worst accurate thing you can think of. If not, please substitute the worst possible accurate characterization. Make good choices, of course. Best, Spencer --0000000000004833e405a083e09b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
A minor comment on this exchange:
On Tue, = Mar 10, 2020 at 2:56 AM Martin Thomson <mt@lowentropy.net> wrote:
> 2. Perhaps we prefix the non-secure cookie names= with `__Non-secure-`
> rather than minting a new header?

That might work.=C2=A0 It's new mechanisms, but not new-header-field ne= w mechanisms.=C2=A0 More below.

I'm= not an expert at this, but think I'm following the discussion in this = thread.=C2=A0

Is "Non-secure" the best t= erm that could be used as a prefix? ISTM that part of the game here may be = shaming people into not continuing to use this mechanism for months/years/e= ver, and "secure/non-secure" seems an awfully overloaded term. Co= uld the prefix be more precise about what's at stake if you continue to= use it?=C2=A0

Random example unlikely to be the b= est suggestion: compare the shame of __Non-secure to the shame of __Trivial= ly-Hijackable, if that's the case, and it's the worst accurate thin= g you can think of. If not, please substitute=C2=A0the worst possible accur= ate characterization.=C2=A0

Make good choices, of = course.

Best,

Spencer
--0000000000004833e405a083e09b--