[secdir] [New-work] WG Review: HTTP State Management Mechanism (httpstate)
IESG Secretary <iesg-secretary@ietf.org> Tue, 24 November 2009 18:00 UTC
Return-Path: <secdir-bounces@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id F00A63A696B for <secdir@core3.amsl.com>;
Tue, 24 Nov 2009 10:00:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.892
X-Spam-Level:
X-Spam-Status: No, score=-103.892 tagged_above=-999 required=5 tests=[AWL=0.293,
BAYES_40=-0.185, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tW8Alo8yXPUx for
<secdir@core3.amsl.com>; Tue, 24 Nov 2009 10:00:25 -0800 (PST)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com
(Postfix) with ESMTP id 05E4628C146 for <secdir@ietf.org>;
Tue, 24 Nov 2009 10:00:23 -0800 (PST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu
(8.13.6/8.12.8) with ESMTP id nAOI0HJQ013459 for <secdir@ietf.org>;
Tue, 24 Nov 2009 13:00:17 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nAOI0GYo013450 for
<secdir@PCH.mit.edu>; Tue, 24 Nov 2009 13:00:16 -0500
Received: from dmz-mailsec-scanner-1.mit.edu (DMZ-MAILSEC-SCANNER-1.MIT.EDU
[18.9.25.12]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
nAOHvP6x012812 for <secdir@mit.edu>; Tue, 24 Nov 2009 13:00:25 -0500 (EST)
X-AuditID: 1209190c-b7ca4ae0000075eb-c9-4b0c1f21c99a
Received: from mail.ietf.org (mail.ietf.org [64.170.98.32]) by (Symantec
Brightmail Gateway) with SMTP id AA.47.30187.12F1C0B4;
Tue, 24 Nov 2009 13:00:01 -0500 (EST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id B456628C14A; Tue, 24 Nov 2009 10:00:04 -0800 (PST)
X-Original-To: new-work@ietf.org
Delivered-To: new-work@core3.amsl.com
Received: by core3.amsl.com (Postfix, from userid 0) id 2BDA23A69CE;
Tue, 24 Nov 2009 10:00:01 -0800 (PST)
From: IESG Secretary <iesg-secretary@ietf.org>
To: new-work@ietf.org
Mime-Version: 1.0
Message-Id: <20091124180002.2BDA23A69CE@core3.amsl.com>
Date: Tue, 24 Nov 2009 10:00:02 -0800 (PST)
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
X-Brightmail-Tracker: AAAABBHIIFARyCm6EcgsOhHLcZY=
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: secdir@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
X-Mailman-Approved-At: Tue, 24 Nov 2009 11:08:12 -0800
Subject: [secdir] [New-work] WG Review: HTTP State Management
Mechanism (httpstate)
X-BeenThere: secdir@ietf.org
Reply-To: iesg@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 18:00:27 -0000
A new IETF working group has been proposed in the Applications Area. The IESG has not made any determination as yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by Tuesday, December 1, 2009. HTTP State Management Mechanism (httpstate) --------------------------------------------------- Current Status: Proposed Working Group Last modified: 2009-11-11 Chair(s): TBD Applications Area Director(s): Lisa Dusseault Alexey Melnikov Applications Area Advisor: Lisa Dusseault Mailing Lists: General Discussion: http-state@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/http-state Archive: http://www.ietf.org/mail-archive/web/http- state/current/maillist.html Alternative Archive: http://groups.google.com/group/http-state Description of Working Group: The HTTP State Management Mechanism (aka Cookies) was originally created by Netscape Communications in their informal Netscape cookie specification ("cookie_spec.html"), from which formal specifications RFC 2109 and RFC 2965 evolved. The formal specifications, however, were never fully implemented in practice; RFC 2109, in addition to cookie_spec.html, more closely resemble real-world implementations than RFC 2965, even though RFC 2965 officially obsoletes the former. Compounding the problem are undocumented features (such as HTTPOnly), and varying behaviors among real-world implementations. The working group will create a new RFC that obsoletes RFC 2109 and specifies Cookies as they are actually used in existing implementations and deployments. Where differences exist among the most commonly used implementations, the working group will document the variations. Where consensus exists among the most commonly used implementations, the working group will specify the consensus behavior. The working group must not introduce any new syntax or new semantics not already in common use. The working group's specific deliverables are: * A standards-track document that is suitable to supersede RFC 2109 (likely based on draft-abarth-cookie) * An informational document cataloguing the differences between major implementations In doing so, the working group should consider: * cookie_spec.html - Netscape Cookie Specification http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsre f/std/cookie_spec.html * RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965) http://tools.ietf.org/html/rfc2109 * RFC 2964 - Use of HTTP State Management http://tools.ietf.org/html/rfc2964 * RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109) http://tools.ietf.org/html/rfc2965 * I-D - HTTP State Management Mechanism v2 http://tools.ietf.org/html/draft-pettersen-cookie-v2 * I-D - Cookie-based HTTP Authentication http://tools.ietf.org/html/draft-broyer-http-cookie-auth * Widely Implemented - HTTPOnly http://www.owasp.org/index.php/HTTPOnly * Browser Security Handbook - Cookies http://code.google.com/p/browsersec/wiki/Part2#Same- origin_policy_for_cookies * HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol http://arxiv.org/PS_cache/cs/pdf/0105/0105018v1.pdf Goals and Milestones: Jan 2010 - Feature-complete Internet-Draft of Cookie specification Mar 2010 - Feature-complete test suite of Cookie specification May 2010 - First fully conforming implementation in a major browser Jul 2010 - Last Call for Cookie specification Sep 2010 - Second fully conforming implementation in a major browser Nov 2010 - Submit Cookie specification to IESG for consideration as a Draft Standard Nov 2010 - Submit deviation description to IESG for consideration as Informational _______________________________________________ New-work mailing list New-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir
- [secdir] [New-work] WG Review: HTTP State Managem… IESG Secretary