W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: FW: Proposed amendment to RFC2109

From: Ted Hardie <hardie@thornhill.arc.nasa.gov>
Date: Fri, 4 Apr 1997 11:36:37 -0800
Message-Id: <9704041136.ZM28237@thornhill.arc.nasa.gov>
To: "Jaye, Dan" <DJaye@engagetech.com>, "'http-wg@cuckoo.hpl.hp.com\ '" <http-wg@cuckoo.hpl.hp.com>
Cc: "'ahyde@focalink.com'" <ahyde@focalink.com>, "'rodger@worldnet.atg.net\ '" <rodger@worldnet.atg.net>
I certainly hope we can discuss this in Memphis, whether
as part of the agenda for the working group or in a bar bof.
My concern is that this proposal seems to address
a question not basic to the concerns about the restrictions
on domain.  In short, it seems to heighten the ability of a server
sending a cookie to verify its identity, without doing a
whole lot to explicate the relationship between the cookie
issuer and content provider.  I can see ways in which this
mechanism could be used, but I'm not sure that my
examples are part of your intended design.

Your base design seems to assume that Certifying
Authorities will emerge which will certify not just
an organization's identity but its adherence to an
established set of guidelines on the use of the data
which it receives.  This seems to combine the x509
certificate with something which would require
a much bigger process.  Not ISO 9000, maybe, but
a significant amount of work, as it involves verifying
internal processes--not just proofs of identity.
The emergence os trustworthy CA's willing to
take that on seems problematic.

There may be a way around that, by drawing on the
existing relationships and setting things up so that
the assurance of certification was inherent in the
content-provider/cookie issuer relationship.
If, for example, we imagine that cookie issuers make the
content-provider the cookie-issuer's certifying authority
for a particular cookie, then allowing cookies when the
certifying authority domain matches the content-provider
makes a certain amount of sense.   Doing so, however, would
require a whole new set of CA's, the acceptance of which
in the cookie context should probably not be extended to
other contexts.  It also requires a method of allowing the
UA to display this new relationship.

To rephrase this, I don't think users have a problem
believing that "tripleclick" is who it says it is when
they receive a cookie from "tripleclick.net".
I think what they need to see is how tripleclick relates
to the current and other content providers.   Using
the inter-relationships among x509 certifying
authorities may be one way of getting the relationships
specified, but it is a at least moderately complex way
that still needs to be made visible to the end user.

		regards,
			Ted Hardie
			NASA NIC

NB:  NASA isn't confused about this, I am.
Received on Friday, 4 April 1997 11:39:14 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:34 EDT