W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: FW: revised trusted cookie spec

From: Larry Masinter <masinter@parc.xerox.com>
Date: Mon, 18 Aug 1997 11:05:22 PDT
Message-Id: <33F88EE2.937C97CE@parc.xerox.com>
To: "Jaye, Dan" <DJaye@engagetech.com>
Cc: "'http-wg@cuckoo.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, "'http-state@lists.research.bell-labs.com'" <http-state@lists.research.bell-labs.com>
At the HTTP working group meeting, I took off my "virtual" chair's hat
and put on a "opinionated working group member" hat, and ranted about
commentURLs. I want to extend that rant:


I'm opposed to commentURLs in cookies.
I'm opposed to comment strings in cookies.
I'm opposed to trusted cookies, too.

I believe that we should recommend "browsers should not return
cookies to sites that are not trusted with private information"
and that trust can be established using a variety of means:
(a) the site sent you the cookie (b) you have some other way of 
establishing a site's privacy policy.

Establishing the privacy policy might be accomplished by
using a PICS-Label or by obtaining it via some other link,
having the privacy rating INSIDE THE DOCUMENT that contains
the links ("we assert that this document only links to sites
with the following privacy policy") or any of a variety of
means outside the HTTP protocol.

But assertions of privacy policies do not belong *inside* the
state management mechanism.

Larry
Received on Monday, 18 August 1997 11:12:02 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:51 EDT