RE: Issues with the cookie draft from Yaron Goland on 1997-03-23 (ietf-http-wg@w3.org from January to March 1997)

From: Yaron Goland <yarong@microsoft.com>
Date: Sat, 22 Mar 1997 16:45:07 -0800
To: "'hedlund@best.com'" <hedlund@best.com>
Cc: Dave Kristol <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
Message-Id: <11352BDEEB92CF119F3F00805F14F485026B724C@RED-44-MSG.dns.microsoft.com>

We all agree that the spec prevents completely legitimate behavior. Thus
demonstrating there is a flaw in the spec. My understanding of IETF
procedure is that the onus is now on the spec's editor to either fix the
flaw or remove the offending section. Is my understanding inaccurate?

BTW, in the near future it is very likely that control over the top
level domains will be opened to competition. Thus, in theory at least,
the foobar company could purchase a top level domain name of "foobar".
Thus their site would be foobar,www.foobar, or what have you. This spec
will now prevent them from being able to share cookies across www.foobar
and foobar.

			Yaron

PS Anyone who says "Wait a minute, that won't be allowed, you will
always have to be at least two levels" doesn't appreciate the
unbelievable worth of having your own top level domain name. Can you
imagine how much a company would be willing to pay to allow people to
just type in their company name on a command line and get their web
site?

> -----Original Message-----
> From:	M. Hedlund [SMTP:hedlund@best.com]
> Sent:	Saturday, March 22, 1997 8:15 AM
> To:	Yaron Goland
> Cc:	Dave Kristol; http-wg@cuckoo.hpl.hp.com
> Subject:	RE: Issues with the cookie draft
> 
> 
> On Sat, 22 Mar 1997, Yaron Goland wrote:
> > I'll come up with a rule to handle your cases as soon as you come up
> > with a rule to allow me to share cookies across:
> > 
> > companyname.com
> > productname.companyname.com
> > version1.productname.companyname.com
> > version2.productname.companyname.com
> > version3.productname.companyname.com
> > 
> > The current spec prevents sharing cookies amongst those servers.
> That
> > does not seem terribly reasonable.
> 
> I agree that it would be desirable to allow this functionality, and I
> concede that we as a group were not able to come up with such a rule
> (which
> I think Lou Montulli also raised as desirable in some cases).  My
> point
> about arbitrariness was that we didn't find a way to determine what
> was a
> company/organization name versus what was a "top"-level domain -- in
> other
> words, the rules that would satisfy the above cases would necessarily
> fail
> to satisfy the cases I listed.
> 
> Since one domain-matching method didn't arise to cover both sets of
> cases,
> we decided in favor of the more conservative method -- the one that at
> least made a strong attempt to protect users from cookie broadcasting.
> Let
> me rephrase my challenge: given that we (you and I, at least) seem to
> agree
> that one organizational unit should have the ability to use cookies
> across
> its internal domains, can you propose a domain matching rule that
> allows
> that feature _without_ creating a cookie-broadcast situation (where a
> cookie is available to servers outside of the organizational unit)? 
> 
> M. Hedlund <hedlund@best.com>
> 
>

Received on Saturday, 22 March 1997 16:47:55 UTC