[secdir] [New-work] WG Review: HTTP State Management Mechanism (httpstate)

IESG Secretary <iesg-secretary@ietf.org> Tue, 24 November 2009 18:00 UTC

Return-Path: <secdir-bounces@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id F00A63A696B for <secdir@core3.amsl.com>; Tue, 24 Nov 2009 10:00:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.892
X-Spam-Status: No, score=-103.892 tagged_above=-999 required=5 tests=[AWL=0.293, BAYES_40=-0.185, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id tW8Alo8yXPUx for <secdir@core3.amsl.com>; Tue, 24 Nov 2009 10:00:25 -0800 (PST)
Received: from pch.mit.edu (PCH.MIT.EDU []) by core3.amsl.com (Postfix) with ESMTP id 05E4628C146 for <secdir@ietf.org>; Tue, 24 Nov 2009 10:00:23 -0800 (PST)
Received: from pch.mit.edu (pch.mit.edu []) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nAOI0HJQ013459 for <secdir@ietf.org>; Tue, 24 Nov 2009 13:00:17 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU []) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nAOI0GYo013450 for <secdir@PCH.mit.edu>; Tue, 24 Nov 2009 13:00:16 -0500
Received: from dmz-mailsec-scanner-1.mit.edu (DMZ-MAILSEC-SCANNER-1.MIT.EDU []) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id nAOHvP6x012812 for <secdir@mit.edu>; Tue, 24 Nov 2009 13:00:25 -0500 (EST)
X-AuditID: 1209190c-b7ca4ae0000075eb-c9-4b0c1f21c99a
Received: from mail.ietf.org (mail.ietf.org []) by (Symantec Brightmail Gateway) with SMTP id AA.47.30187.12F1C0B4; Tue, 24 Nov 2009 13:00:01 -0500 (EST)
Received: from [] (localhost []) by core3.amsl.com (Postfix) with ESMTP id B456628C14A; Tue, 24 Nov 2009 10:00:04 -0800 (PST)
X-Original-To: new-work@ietf.org
Delivered-To: new-work@core3.amsl.com
Received: by core3.amsl.com (Postfix, from userid 0) id 2BDA23A69CE; Tue, 24 Nov 2009 10:00:01 -0800 (PST)
From: IESG Secretary <iesg-secretary@ietf.org>
To: new-work@ietf.org
Mime-Version: 1.0
Message-Id: <20091124180002.2BDA23A69CE@core3.amsl.com>
Date: Tue, 24 Nov 2009 10:00:02 -0800 (PST)
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
X-Brightmail-Tracker: AAAABBHIIFARyCm6EcgsOhHLcZY=
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: secdir@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
X-Mailman-Approved-At: Tue, 24 Nov 2009 11:08:12 -0800
Subject: [secdir] [New-work] WG Review: HTTP State Management Mechanism (httpstate)
X-BeenThere: secdir@ietf.org
Reply-To: iesg@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 18:00:27 -0000

A new IETF working group has been proposed in the Applications Area.  The
IESG has not made any determination as yet.  The following draft charter
was submitted, and is provided for informational purposes only.  Please
send your comments to the IESG mailing list (iesg@ietf.org) by Tuesday,
December 1, 2009.

HTTP State Management Mechanism (httpstate) 
Current Status: Proposed Working Group
Last modified: 2009-11-11


Applications Area Director(s):
  Lisa Dusseault 
  Alexey Melnikov 

Applications Area Advisor:
  Lisa Dusseault 

Mailing Lists: 
  General Discussion: http-state@ietf.org 
  To Subscribe: https://www.ietf.org/mailman/listinfo/http-state 
  Archive: http://www.ietf.org/mail-archive/web/http-
  Alternative Archive: http://groups.google.com/group/http-state  

Description of Working Group:  

The HTTP State Management Mechanism (aka Cookies) was originally 
created by Netscape Communications in their informal Netscape cookie 
specification ("cookie_spec.html"), from which formal specifications 
RFC 2109 and RFC 2965 evolved.  The formal specifications, however, 
were never fully implemented in practice; RFC 2109, in addition to 
cookie_spec.html, more closely resemble real-world implementations than 
RFC 2965, even though RFC 2965 officially obsoletes the former. 
Compounding the problem are undocumented features (such as HTTPOnly), 
and varying behaviors among real-world implementations.  

The working group will create a new RFC that obsoletes RFC 2109 and 
specifies Cookies as they are actually used in existing implementations 
and deployments.  Where differences exist among the most commonly used 
implementations, the working group will document the variations.  Where 
consensus exists among the most commonly used implementations, the 
working group will specify the consensus behavior.  

The working group must not introduce any new syntax or new semantics 
not already in common use.  

The working group's specific deliverables are: 

* A standards-track document that is suitable to supersede RFC 2109 
(likely based on draft-abarth-cookie) 
* An informational document cataloguing the differences between major 
implementations  In doing so, the working group should consider:  
* cookie_spec.html - Netscape Cookie Specification  
* RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965)    
* RFC 2964 - Use of HTTP State Management    
* RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109)    
* I-D - HTTP State Management Mechanism v2    
* I-D - Cookie-based HTTP Authentication    
* Widely Implemented - HTTPOnly    
* Browser Security Handbook - Cookies  
* HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol    

Goals and Milestones: 
Jan 2010 - Feature-complete Internet-Draft of Cookie specification 
Mar 2010 - Feature-complete test suite of Cookie specification 
May 2010 - First fully conforming implementation in a major browser 
Jul 2010 - Last Call for Cookie specification 
Sep 2010 - Second fully conforming implementation in a major browser 
Nov 2010 - Submit Cookie specification to IESG for consideration as 
           a Draft Standard 
Nov 2010 - Submit deviation description to IESG for consideration as 
New-work mailing list
secdir mailing list