W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

RE: making progress on cookies

From: Yaron Goland <yarong@microsoft.com>
Date: Sun, 12 Oct 1997 14:27:31 -0700
Message-Id: <11352BDEEB92CF119F3F00805F14F48503DFC7AD@RED-44-MSG.dns.microsoft.com>
To: 'Dave Kristol' <dmk@bell-labs.com>
Cc: http-state@lists.research.bell-labs.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Privacy - I get scared whenever a public organization tries to decide
what appropriate "privacy" is. That is a consumer decision, not an IETF
one. The IETF's job is to provide secure interoperable protocols, not to
decide for users what the appropriate level of privacy is. Consumers
make choices, they choose to use one product over another. It is in that
choice that they choose how to protect their privacy. That choice
includes choosing products which default to accepting all cookies.

2109 - The problems with the current spec have nothing to do with
complexity. They have to do with an attempt to patch a fundamentally
broken protocol. Building a cookie mechanism on signed cookies provides
a protocol which delivers security without interfering in the UI and
feature decisions of software makers.

			Yaron

> -----Original Message-----
> From:	Dave Kristol [SMTP:dmk@bell-labs.com]
> Sent:	Sunday, October 12, 1997 1:59 PM
> To:	Yaron Goland
> Cc:	http-state@lists.research.bell-labs.com;
> http-wg@cuckoo.hpl.hp.com
> Subject:	RE: making progress on cookies
> 
> At 6:50 PM -0700 10/10/97, Yaron Goland wrote:
> >An alternative proposal is to take the signed cookie draft and
> combine
> >it with the protocol draft and put that up as the standard. That way
> we
> >don't have to argue over heuristics which prevent legitimate
> >functionality and instead use a policy based system backed up with
> >authentication.
> 
> As I've said before, I don't think this would be a positive step.  If
> we're
> having trouble making progress on the current specification, trying to
> make
> progress on an even more complex one will be that much more difficult.
> 
> I agree with Dave Morris's point that not all applications need or
> want
> signed cookies.  I prefer to regard the signed cookies proposal as an
> add-on.  I think it can mesh relatively smoothly with the (successor
> to)
> RFC 2109.
> 
> Dave Kristol
> 
Received on Sunday, 12 October 1997 14:47:30 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:02 EDT