W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Pervasive encryption: Pro and contra

From: Yoav Nir <synp71@live.com>
Date: Mon, 18 Nov 2013 10:56:10 +0200
Message-ID: <BLU0-SMTP327F58CC857FB175999F2D3B1E40@phx.gbl>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
CC: ietf-http-wg@w3.org
On 18/11/13 12:33 AM, Nicolas Mailhot wrote:
> Le Dim 17 novembre 2013 15:20, Yoav Nir a écrit :
>> On 17/11/13 2:16 PM, Nicolas Mailhot wrote:
>>> 2. it's disingenuous to claim tackling pervasive surveillance when
>>> nothing is done for the cookie networks whose sole aim is pervasive
>>> surveillance and which *are* an http "feature" (unlike TLS which is
>>> being bolted on)
>> True, but all previous attempts to make cookies better have failed.
>>    * The httpstate working group closed without standardizing "cake"
>>    * Recent attempts to get websec to discuss next generation cookies
>>      also failed to get people (especially browser vendors) interested.
> What was wrong with the solution that was proposed on this list a few
> months ago ? (by PHK IIRC)
Nothing wrong. We also had proposals from Adam Barth ("Cake"), from PHB 
("HTTP Session Management"), Trevor Perrin ("smart cookies"), and Nico 
Williams ("session continuation").  There's really no shortage of 
proposals on how to make cookies better.

What we are lacking is the indication that implementations (especially 
browsers) would implement such a mechanism if we standardized it. There 
is the channel-id proposal that may make cookies harder to steal, but 
that doesn't address its usage at all. With that, it's difficult to get 
people excited enough to actually do the work of reviewing this.

Received on Monday, 18 November 2013 08:56:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC