W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

RE: Unverifiable Transactions / Cookie draft

From: M. Hedlund <hedlund@best.com>
Date: Tue, 18 Mar 1997 10:07:52 -0800 (PST)
To: "Jaye, Dan" <DJaye@engagetech.com>
Cc: 'Yaron Goland' <yarong@microsoft.com>, "'dmerriman@doubleclick.net'" <dmerriman@doubleclick.net>, "'http-wg@cuckoo.hpl.hp.com'" <http-wg@cuckoo.hpl.hp.com>
Message-Id: <Pine.SGI.3.95.970318100207.5836G-100000@shellx.best.com>

On Fri, 14 Mar 1997, Jaye, Dan wrote:
> I would like to suggest that we provide a mechanism, similar to a
> Certificate Authority, that would allow for a "unverifiable transaction"
> to be verified against a list of valid site certificates.  These
> certificates could be assigned levels, perhaps using the E-TRUST
> trustmarks, and users could select their privacy level according to
> those trustmarks.  The default behavior could be for the cookies to be
> rejected from all non-verifiable transactions except for ETrust Level 3
> (i.e., anonymous) site certificates.

I agree that this is a fine suggestion.  How about changing section 4.3.5,
paragraph 1, sentence 4, from:

> A transaction is verifiable if the user has the option to review the
> request-URI prior to its use in the transaction. 

to:

> A transaction is verifiable if the user _or a user-designated agent_
> has the option to review the request-URI prior to its use in the
> transaction. 

(emphasis for review purposes).

Would that give the specification sufficient flexibility for your
recommendation to be implemented?

M. Hedlund <hedlund@best.com>
Received on Tuesday, 18 March 1997 11:13:41 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:31 EDT