W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

RE: making progress on cookies

From: Yaron Goland <yarong@microsoft.com>
Date: Sat, 11 Oct 1997 19:55:15 -0700
Message-Id: <11352BDEEB92CF119F3F00805F14F48503DFC7A6@RED-44-MSG.dns.microsoft.com>
To: "'David W. Morris'" <dwm@xpasc.com>
Cc: Dave Kristol <dmk@research.bell-labs.com>, http-state@lists.research.bell-labs.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I understand the concerns regarding unsigned cookies but at the same
time I do not believe we can create restrictions that are not arbitrary.
For example, the two hierarchy level restriction. As such I believe the
best we can do is state "You want security? Use a signature."

How many systems do you know that go out of there to specify security in
situations where the user intentionally chooses not to use any security?

			Yaron

> -----Original Message-----
> From:	David W. Morris [SMTP:dwm@xpasc.com]
> Sent:	Saturday, October 11, 1997 12:32 PM
> To:	Yaron Goland
> Cc:	Dave Kristol; http-state@lists.research.bell-labs.com;
> http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com;
> http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com; http-wg@cuckoo.hpl.hp.com
> Subject:	RE: making progress on cookies
> 
> 
> 
> On Fri, 10 Oct 1997, Yaron Goland wrote:
> 
> > An alternative proposal is to take the signed cookie draft and
> combine
> > it with the protocol draft and put that up as the standard. That way
> we
> > don't have to argue over heuristics which prevent legitimate
> > functionality and instead use a policy based system backed up with
> > authentication.
> 
> This alternative would not be a complete solution since it would drop
> the default specification for cookie privacy when the cookie presented
> was not signed.
> 
> I have no problem with an alternative which includes completing work
> on the signed cookie proposal but I see that as additional
> specification
> and not replacing some form of the existing privacy specifications.
> 
> Dave Morris
Received on Saturday, 11 October 1997 19:58:18 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:01 EDT