WG Review: HTTP State Management Mechanism (httpstate)

IESG Secretary <iesg-secretary@ietf.org> Tue, 24 November 2009 18:00 UTC

Return-Path: <root@core3.amsl.com>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@core3.amsl.com
Received: by core3.amsl.com (Postfix, from userid 0) id 236D83A696B; Tue, 24 Nov 2009 10:00:01 -0800 (PST)
From: IESG Secretary <iesg-secretary@ietf.org>
To: ietf-announce@ietf.org
Subject: WG Review: HTTP State Management Mechanism (httpstate)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
Message-Id: <20091124180002.236D83A696B@core3.amsl.com>
Date: Tue, 24 Nov 2009 10:00:02 -0800
Cc: http-state@ietf.org
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: iesg@ietf.org
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-announce>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 18:00:02 -0000

A new IETF working group has been proposed in the Applications Area.  The
IESG has not made any determination as yet.  The following draft charter
was submitted, and is provided for informational purposes only.  Please
send your comments to the IESG mailing list (iesg@ietf.org) by Tuesday,
December 1, 2009.

HTTP State Management Mechanism (httpstate) 
---------------------------------------------------
Current Status: Proposed Working Group
Last modified: 2009-11-11

Chair(s):
  TBD

Applications Area Director(s):
  Lisa Dusseault <lisa.dusseault@gmail.com>
  Alexey Melnikov <alexey.melnikov@isode.com>

Applications Area Advisor:
  Lisa Dusseault <lisa.dusseault@gmail.com>

Mailing Lists: 
  General Discussion: http-state@ietf.org 
  To Subscribe: https://www.ietf.org/mailman/listinfo/http-state 
  Archive: http://www.ietf.org/mail-archive/web/http-
state/current/maillist.html 
  Alternative Archive: http://groups.google.com/group/http-state  

Description of Working Group:  

The HTTP State Management Mechanism (aka Cookies) was originally 
created by Netscape Communications in their informal Netscape cookie 
specification ("cookie_spec.html"), from which formal specifications 
RFC 2109 and RFC 2965 evolved.  The formal specifications, however, 
were never fully implemented in practice; RFC 2109, in addition to 
cookie_spec.html, more closely resemble real-world implementations than 
RFC 2965, even though RFC 2965 officially obsoletes the former. 
Compounding the problem are undocumented features (such as HTTPOnly), 
and varying behaviors among real-world implementations.  

The working group will create a new RFC that obsoletes RFC 2109 and 
specifies Cookies as they are actually used in existing implementations 
and deployments.  Where differences exist among the most commonly used 
implementations, the working group will document the variations.  Where 
consensus exists among the most commonly used implementations, the 
working group will specify the consensus behavior.  

The working group must not introduce any new syntax or new semantics 
not already in common use.  

The working group's specific deliverables are: 

* A standards-track document that is suitable to supersede RFC 2109 
(likely based on draft-abarth-cookie) 
* An informational document cataloguing the differences between major 
implementations  In doing so, the working group should consider:  
* cookie_spec.html - Netscape Cookie Specification  
http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsre
f/std/cookie_spec.html 
* RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965)    
http://tools.ietf.org/html/rfc2109 
* RFC 2964 - Use of HTTP State Management    
http://tools.ietf.org/html/rfc2964 
* RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109)    
http://tools.ietf.org/html/rfc2965 
* I-D - HTTP State Management Mechanism v2    
http://tools.ietf.org/html/draft-pettersen-cookie-v2 
* I-D - Cookie-based HTTP Authentication    
http://tools.ietf.org/html/draft-broyer-http-cookie-auth 
* Widely Implemented - HTTPOnly    
http://www.owasp.org/index.php/HTTPOnly 
* Browser Security Handbook - Cookies  
http://code.google.com/p/browsersec/wiki/Part2#Same-
origin_policy_for_cookies 
* HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol    
http://arxiv.org/PS_cache/cs/pdf/0105/0105018v1.pdf  

Goals and Milestones: 
 
Jan 2010 - Feature-complete Internet-Draft of Cookie specification 
Mar 2010 - Feature-complete test suite of Cookie specification 
May 2010 - First fully conforming implementation in a major browser 
Jul 2010 - Last Call for Cookie specification 
Sep 2010 - Second fully conforming implementation in a major browser 
Nov 2010 - Submit Cookie specification to IESG for consideration as 
           a Draft Standard 
Nov 2010 - Submit deviation description to IESG for consideration as 
           Informational