W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

RE: making no progress on cookies

From: hedlund <hedlund@best.com>
Date: Sat, 11 Oct 1997 20:23:03 -0700 (PDT)
To: Yaron Goland <yarong@microsoft.com>
Cc: http-state@lists.research.bell-labs.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.BSF.3.96.971011201251.1777A-100000@shell7.ba.best.com>

On Sat, 11 Oct 1997, Yaron Goland wrote:
> I understand the concerns regarding unsigned cookies but at the same
> time I do not believe we can create restrictions that are not arbitrary.
> For example, the two hierarchy level restriction. 

I agree that the two-dot rule you refer to is a compromise that neither
fully protects privacy nor consistently ascertains the need to do so.  It
was the best solution we found, and the other privacy restrictions in the
RFC were intended to make up for this compromise.  I do not agree that the
privacy restrictions are arbitrary, though I would be foolish but to agree
that they are controversial. 

> As such I believe the best we can do is state "You want security? Use a
> signature."
> 
> How many systems do you know that go out of there to specify security in
> situations where the user intentionally chooses not to use any security?

Security is not the same thing as privacy.

There are plenty of systems that protect privacy even if the user does not
explicitly request privacy protection.  That is my understanding of the
intent of the privacy restrictions in the cookie rfc.

M. Hedlund <hedlund@best.com>
Received on Saturday, 11 October 1997 20:27:17 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:01 EDT