[privacydir] draft-ietf-httpstate-cookie (was Re: getting things started)

Alissa Cooper <acooper@cdt.org> Thu, 13 January 2011 10:36 UTC

Return-Path: <acooper@cdt.org>
X-Original-To: privacydir@core3.amsl.com
Delivered-To: privacydir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 7DF5B3A6B63 for <privacydir@core3.amsl.com>; Thu, 13 Jan 2011 02:36:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.446
X-Spam-Status: No, score=-102.446 tagged_above=-999 required=5 tests=[AWL=0.153, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1q6qG-ZdvnF0 for <privacydir@core3.amsl.com>; Thu, 13 Jan 2011 02:36:50 -0800 (PST)
Received: from mail.maclaboratory.net (mail.maclaboratory.net []) by core3.amsl.com (Postfix) with ESMTP id 52EFF3A6B60 for <privacydir@ietf.org>; Thu, 13 Jan 2011 02:36:49 -0800 (PST)
Received: from localhost ([]) by mail.maclaboratory.net (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Thu, 13 Jan 2011 05:39:00 -0500
Message-Id: <DD98E62E-1EE7-4CDF-B184-B37B041B947C@cdt.org>
From: Alissa Cooper <acooper@cdt.org>
To: Sean Turner <turners@ieca.com>
In-Reply-To: <4D278269.4010509@ieca.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 13 Jan 2011 10:38:57 +0000
References: <4D247A58.3070605@ieca.com> <4D2610E8.5060105@ischool.berkeley.edu> <4D278269.4010509@ieca.com>
X-Mailer: Apple Mail (2.936)
Cc: privacydir@ietf.org
Subject: [privacydir] draft-ietf-httpstate-cookie (was Re: getting things started)
X-BeenThere: privacydir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Privacy Directorate to develop the concept of privacy considerations for IETF specifications and to review internet-drafts for privacy considerations." <privacydir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/privacydir>, <mailto:privacydir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/privacydir>
List-Post: <mailto:privacydir@ietf.org>
List-Help: <mailto:privacydir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacydir>, <mailto:privacydir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jan 2011 10:36:51 -0000


I took a look at this draft (which I meant to do during IETF last call  
and unfortunately didn't get to) and both your and Tim's DISCUSSes. I  
think the privacy points that you raise are spot-on; I have just a  
couple of further thoughts:

-- I think it makes sense to make some recommendation on limiting  
cookie lifetimes. One way to do it without picking a number would be  
to say that cookies should be set to expire when they are no longer  
needed by the server for the purpose for which they were set. That way  
a limit is recommended but it's still fungible. It might also make  
sense to recommend that cookies lifetimes be reasonable given the  
expected lifetime of browsers and devices (i.e., a 30-year lifetime  
makes no sense when people cycle through devices every year or couple  
of years).

-- It's my understanding that most private browsing modes prevent  
third-party cookies from being read and treat all newly set cookies as  
session cookies (see http://cdt.org/files/pdfs/ 
20101209_browser_rpt.pdf page 9). So I think this is actually covered  
by the text in 7.2.

Does it make sense for you to convey these comments to Adam, or should  
I post them to the http-state list?


On Jan 7, 2011, at 9:15 PM, Sean Turner wrote:

> The two drafts below were on yesterday's IESG telechat.
> For the ipfix-anon draft, I submitted Nick's comments pretty much in  
> their entirety.  I haven't heard from the authors.  There's  
> essentially still time if somebody uncovers something horrible.  The  
> time frame for anything on that draft is at best two weeks.
> For the cookie draft, time is short - actually technically it's over  
> because IETF LC ended a while ago.  The author is very responsive  
> too. If you've got any comments I need them as soon as possible and  
> unfortunately there's no guarantee the author will incorporate them.
> This just goes to show we need a secretary to ride herd on us.
> spt
> On 1/6/11 1:58 PM, Deirdre Mulligan wrote:
>> Hi Sean et al
>> Can you tell me what the timeline is on the two below?
>> I am happy to take on some of the evaluation work under 2 and will  
>> plan
>> to work it into a lab class I am running this semester looking at  
>> policy
>> implications of technical design.
>> On topic 1, I would suggest that we think about other models--both
>> decisional documents, expert committees, etc. -- in addition to the
>> morris draft for iding and working through privacy issues in drafts.
>> thanks and happy new year.
>> cheers
>> deirdre
>> On 1/5/11 6:04 AM, Sean Turner wrote:
>>> Everyone,
>>> Thanks for agreeing to be in this directorate. The purpose is  
>>> twofold:
>>> 1. Provide a place to discuss the Privacy Considerations for  
>>> Internet
>>> Protocols draft
>>> (https://datatracker.ietf.org/doc/draft-morris-privacy-considerations/ 
>>> )
>>> 2. Test out the recommendations in that draft by reviewing selected
>>> drafts.
>>> Most that I talked to about this directorate liked the idea that it
>>> would be modeled on the security directorate. To do that we'll  
>>> need a
>>> secretary to review the upcoming IESG telechat agenda
>>> (https://datatracker.ietf.org/iesg/agenda/documents/), select  
>>> drafts to
>>> review, and assign drafts to reviewers. What that means is that  
>>> we'll
>>> actually need people to review drafts and send their comments to the
>>> directorate. The workload will, I think, at most be one draft a  
>>> month
>>> per person. Now there are only 15 or so, but we've had 30 requests  
>>> to
>>> join the directorate. So, the workload could actually drop.
>>> I've gotten at least one recommendation for a secretary and Tim  
>>> and I
>>> will see if they'd be game. I suspect the assignment process will  
>>> happen
>>> by generating the list of directorate reviewers and then just  
>>> working
>>> through the list.
>>> Tim and I had picked out two drafts that seemed bang on  
>>> appropriate for
>>> the directorate to review:
>>> https://datatracker.ietf.org/doc/draft-ietf-httpstate-cookie/
>>> and
>>> https://datatracker.ietf.org/doc/draft-ietf-ipfix-anon/
>>> Tim and I both have some initial comments on the httpstate-cookie  
>>> draft.
>>> You can see them by clicking on the IESG evaluation tab in he
>>> datatracker. If you think we've missed something please send email  
>>> to
>>> this list.
>>> Nick Mathewson provided Tim and I with some comments on the ipfix- 
>>> anon
>>> draft which I will forward shortly to the mailing list.
>>> Cheers,
>>> spt
>>> _______________________________________________
>>> privacydir mailing list
>>> privacydir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacydir
> _______________________________________________
> privacydir mailing list
> privacydir@ietf.org
> https://www.ietf.org/mailman/listinfo/privacydir