Re: Origin cookies, and First-party cookies.

Thanks to all three of you!

On Fri, Nov 21, 2014 at 9:49 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:

> This mailing list is for discussing current work items for httpbis:
> HTTP/2, Alt-Svc, etc.  A little discussion of related “homeless” topics is
> usually tolerated as long as there is a small amount of traffic that does
> not distract people from the on-topic discussions.
>

I certainly don't want to disrupt work on HTTP. However, WebSec seemed both
quiet, and focused on finishing HSTS/PKP. Those seemed less conducive to
cookie discussions than HTTP, but I'm certainly happy to take the
conversation there if it's the right thing to do.


> Your proposal (and Andrei’s) have one important thing that the authors of
> proposals in the previous round didn’t: the people behind them (you and
> Andrei) actually work on browsers, so your proposals might get implemented.
> That’s a good start.
>

The proposals I'm advocating are also trivial; they don't introduce any new
concepts to the platform, they merely apply concepts we already have to
cookies in slightly new ways. This is true both in terms of the user
agent's implementation as well as website adoption.

If putting together a prototype would help move things along, I'm happy to
do so in Chromium.


> So, for starters it’s OK to start the discussion here. ... When (and if)
> things seem to be converging (on a list of requirements and 1 or more
> proposals) then we can have the discussion again about what working group
> should handle this: httpbis, uta or a new working group.
>

Thanks, this seems like very reasonable advice!


> But start with showing that there is interest.
>

I've talked with folks at Mozilla who seemed interested in both proposals.
Indeed, "first-party cookies" is, in many ways, an adaptation of Mark
Goodwin's "samedomain cookies" proposal:
http://people.mozilla.org/~mgoodwin/SameDomain/samedomain-latest.txt. I
suspect he'd be interested in implementing something in Gecko. (+mgoodwin

On Sat, Nov 22, 2014 at 1:38 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:
>
> The first-party concept is interesting and
> potentially valuable, assuming the other issues aren't resolved.


Which other issues? Naively, it seems useful in and of itself.


> The list also only surveyed work that has been submitted to the IETF; the
> macaroon concept is another point of interest in the space.
>

It's also significantly more complex than these proposals. :)

I have reservations about defining a mechanism that fails open without
> any way of learning that this has happened.  Mike and I discussed some
> amendments that might work.
>

There's certainly more discussion to be had on this topic in particular,
and I do appreciate your input so far. Since there seems to be at least
vague interest on this list, I'll hop back to that other thread to pick
things up again.


> Given the narrow locus of effort in this area, I think that a new,
> short-lived working group is the best way to deal with this.  Building
> something (anything) that helps with this cookie mess would be great.
>

I'm a little worried that spinning up a working group will run counter to
these proposal's simplicity. Perhaps this is my lack of IETF experience
talking, but I've certainly seen problems grow to fill the space allotted
to them in other areas. If we spin up a working group, I'm worried we'd get
lost in (useful!) discussions about what we should have _instead_ of
cookies, rather than how we could implement something which serves the uses
cases these two proposals highlight.

But if tightly scoped WGs work well in this forum, then I'm all for it!

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)