W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

RE: Last Call: Applicability Statement for HTTP State Management to BCP

From: Yaron Goland (Exchange) <yarong@Exchange.Microsoft.com>
Date: Fri, 25 Jun 1999 03:08:10 +0100 (BST)
Message-ID: <078292D50C98D2118D090008C7E9C6A6019472DA@STAY>
To: "'ietf@ietf.org'" <ietf@ietf.org>
Cc: http-wg@hplb.hpl.hp.com
The following comments are regarding:
http://www.ietf.org/internet-drafts/draft-ietf-http-state-man-mec-10.txt

FIRST OFF:

I would like to congratulate Dave Kristol. Although, as I discuss below, I
have significant reservations about this specification Dave has spent an
enormous amount of time trying to be reasonable. He has worked very hard to
put in text that actually addresses the issues, isn't wish washy but at the
same time avoids the strident tone that has often entered into the cookie
debate. In addition Dave has done a really good job of addressing the
various problems with the early specification and coming up with the most
reasonable solutions one can probably expect given the circumstances.

That having been said.... =)

OBJECTION:

The key failure in cookie security is authentication, the ability to know
exactly with whom you are dealing. As we all know, domains can not provide
this information which is the core of the cookie security problem. It will
obviously take some time for a proper cookie authentication mechanism to be
agreed upon and it is quite reasonable for people to seek some sort of
interim solution which will provide at least some protection in the
meantime.

I do not believe that draft-ietf-http-state-man-mec-10.txt provides this
interim solution. While the draft does provide some improvements in regards
to the handling of cookies I personally do not believe that those
improvements are sufficient to merit changing the existing client and server
infrastructure. As such I believe that this draft should be blocked from
progressing to proposed standard status until it can demonstrate a
sufficiently high level of security to either qualify as a robust interim
measure or until it provides a workable solution to the underlying problem.

I realize that such judgments are completely subjective and am uncomfortable
making the previous argument. I prefer arguments based on indisputable
facts, but that doesn't appear possible here. On the positive side the
specification is well written and certainly achieves its modest goals. No
great harm will come to the internet community through its publication. I do
believe, however, that it would be unfortunate for the IETF to lend its
credibility to this specification in the specification's current state.

GENERAL COMMENTS:

I did not find internationalization considerations for cookie comments.
Shouldn't they be in UTF-8?

If no version is specified in a Set-Cookie2 header is one to assume that it
is version 1?

If one always returns the version number exactly then servers have no idea
if the client understood any enhanced semantics associated with a greater,
but still backwards compatible, version. Shouldn't the client only return
the highest version number it supports?

NIT:

In section 6 there is mention of 'speculating'. I would suggest rephrasing
with the phrase "provide guidance."

TYPOS:

In section 2, 6th paragraph, the sentence begins "ost names can be"

Section 4.2.3 talks about TTP/1.1 and TTP/1.0 servers.

I think there is a return missing after the title for section 4.3.5.

There is a "owever" in section 4.3.5.

Section 6 contains a "ere".

I think a return got lost after the title of section 6.3.1.

> -----Original Message-----
> From: The IESG [mailto:iesg-secretary@ietf.org]
> Sent: Wed, June 23, 1999 2:00 PM
> Cc: http-wg@hplb.hpl.hp.com
> Subject: Last Call: Applicability Statement for HTTP State 
> Management to
> BCP
> 
> 
> 
> The IESG has received a request from the IETF Steering Group Working
> Group to consider Applicability Statement for HTTP State Management
> <draft-iesg-http-cookies-00.txt> as a BCP.
> 
> The IESG will also consider HTTP State Management Mechanism
> <draft-ietf-http-state-man-mec-10.txt> as a Proposed Standard.
> 
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action.  Please send any comments to the
> iesg@ietf.org or ietf@ietf.org mailing lists by July 23, 1999.
> 
> Files can be obtained via
> http://www.ietf.org/internet-drafts/draft-iesg-http-cookies-00.txt
> http://www.ietf.org/internet-drafts/draft-ietf-http-state-man-
mec-10.txt
Received on Wednesday, 30 June 1999 12:05:39 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT