W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Internet-Drafts Posted

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Thu, 12 Jul 2007 19:24:21 +0200
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <op.tvc3yvonvqd7e2@killashandra-ii.oslo.opera.com>


Hello all,

I have posted the following four updated HTTP related draft about problems  
with cookies and caching, as proposed ways to solve those problems

For more background see my articles:

   http://my.opera.com/yngve/blog/show.dml/267415
   http://my.opera.com/yngve/blog/show.dml/388840
   http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the

------- Forwarded message -------
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D ACTION:draft-pettersen-cookie-v2-01.txt
Date: Thu, 12 Jul 2007 18:15:14 +0200

A New Internet-Draft is available from the on-line Internet-Drafts
directories.


	Title		: HTTP State Management Mechanism v2
	Author(s)	: Y. Pettersen
	Filename	: draft-pettersen-cookie-v2-01.txt
	Pages		: 31
	Date		: 2007-7-12
	
This document specifies a way to create a stateful session with
    Hypertext Transfer Protocol (HTTP) requests and responses.  It
    describes three HTTP headers, Cookie, Cookie2, and Set-Cookie2, which
    carry state information between participating origin servers and user
    agents.  The method described here differs from both Netscape's
    Cookie proposal [Netscape], and [RFC2965], but it can, provided some
    requirements are met, interoperate with HTTP/1.1 user agents that use

    Netscape's method.  (See the HISTORICAL section.)

    This document defines new rules for how cookies can be shared between
    servers within a domain.  These new rules are intended to address
    security and privacy concerns that are difficult to counter for
    clients implementing Netscape's proposed rules or the rules specified
    by RFC 2965.

    This document reflects implementation experience with RFC 2965 and
    obsoletes it.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-01.txt

------- Forwarded message -------
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D ACTION:draft-pettersen-dns-cookie-validate-02.txt
Date: Thu, 12 Jul 2007 18:15:14 +0200

A New Internet-Draft is available from the on-line Internet-Drafts
directories.


	Title		: Enhanced validation of domains for HTTP State Management Cookies  
using DNS
	Author(s)	: Y. Pettersen
	Filename	: draft-pettersen-dns-cookie-validate-02.txt
	Pages		: 14
	Date		: 2007-7-12
	
HTTP State Management Cookies are used for a wide variety of tasks on
    the Internet, from preference handling to user identification.  An
    important privacy and security feature of cookies is that their
    information can only be sent to a servers in a limited namespace, the
    domain.
    The variation of domain structures that are in use by domain name
    registries, especially the country code Top Level Domains (ccTLD)
    namespaces, makes it difficult to determine what is a valid domain,
    e.g. example.co.uk and example.no, which cookies should be permitted
    for, and a registry-like domain (subTLDs) like co.uk where cookies
    should not be permitted.

    This document specifies an imperfect method using DNS name lookups
    for cookie domains to determine if cookies can be permitted for that
    domain, based on the assumption that most subTLD domains will not
    have an IP address assigned to them, while most legitimate services
    that share cookies among multiple servers will have an IP address for
    their domain name to make the user's navigation easier by omitting
    the customary "www" prefix.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-dns-cookie-validate-02.txt

------- Forwarded message -------
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D ACTION:draft-pettersen-subtld-structure-02.txt
Date: Thu, 12 Jul 2007 18:15:14 +0200

A New Internet-Draft is available from the on-line Internet-Drafts
directories.


	Title		: The TLD Subdomain Structure Protocol and its use for Cookie  
domain validation
	Author(s)	: Y. Pettersen
	Filename	: draft-pettersen-subtld-structure-02.txt
	Pages		: 14
	Date		: 2007-7-12
	
This document defines a protocol and specification format that can be
    used by a client to discover how a Top Level Domain (TLD) is
    organized in terms of what subdomains are used to place closely
    related but independent domains, e.g. commercial domains in country
    code TLDs (ccTLD) like .uk are placed in the .co.uk subTLD domain.

    This information is then used to limit which domains an Internet
    service can set cookies for, strengthening the rules already defined
    by the cookie specifications.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-subtld-structure-02.txt


------- Forwarded message -------
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D ACTION:draft-pettersen-cache-context-01.txt
Date: Thu, 12 Jul 2007 18:15:15 +0200

A New Internet-Draft is available from the on-line Internet-Drafts
directories.


	Title		: A context mechanism for controlling caching of HTTP responses
	Author(s)	: Y. Pettersen
	Filename	: draft-pettersen-cache-context-01.txt
	Pages		: 18
	Date		: 2007-7-12
	
A common problem for sensitive web services is informing the client,
    in a reliable fashion, when a password protected resource is no
    longer valid because the user is logged out of the service.  This is,
    in particular, considered a potential security problem by some
    sensitive services, such as online banking, when the user navigates
    the client's history list, which is supposed to display the resource
    as it was when it was loaded, not as it is at some later point in
    time.

    This document presents a method for collecting such sensitive
    resources into a group, called a "Cache Context", which permits the
    server to invalidate all the resources belonging in the group either
    by direct action, or according to some expiration policy.  The
    context can be configured to invalidate not just the resources, but
    also specific cookies, HTTP authentication credentials and HTTP over
    TLS session information.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-cache-context-01.txt

-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
Received on Thursday, 12 July 2007 17:23:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT