Re: Origin cookies, and First-party cookies.

Hey Mike,

Sorry, I thought I responded to this a few days ago, but apparently not.

I encouraged people at the HNL meeting to read these and comment as well. Now is a good time to consider adopting these, since http/2 is winding down. 

The hallway conversations I had about these seemed to be positive. I want to talk to a few more people (including Barry) about them, but adopting them is in-scope for our charter, and I think reasonable.

What I'd suggest is that you continue to work on them, do a prototype in Chrome, and discuss with other potential implementers -- using this mailing list to coordinate, discuss the drafts, etc. Once you get some more momentum on them, we can do a call for adoption and/or discuss other options.

Make sense?

Cheers,


> On 22 Nov 2014, at 8:31 pm, Mike West <mkwst@google.com> wrote:
> 
> Thanks to all three of you!
> 
> On Fri, Nov 21, 2014 at 9:49 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> This mailing list is for discussing current work items for httpbis: HTTP/2, Alt-Svc, etc.  A little discussion of related “homeless” topics is usually tolerated as long as there is a small amount of traffic that does not distract people from the on-topic discussions.
> 
> I certainly don't want to disrupt work on HTTP. However, WebSec seemed both quiet, and focused on finishing HSTS/PKP. Those seemed less conducive to cookie discussions than HTTP, but I'm certainly happy to take the conversation there if it's the right thing to do.
>  
>> Your proposal (and Andrei’s) have one important thing that the authors of proposals in the previous round didn’t: the people behind them (you and Andrei) actually work on browsers, so your proposals might get implemented. That’s a good start.
> 
> The proposals I'm advocating are also trivial; they don't introduce any new concepts to the platform, they merely apply concepts we already have to cookies in slightly new ways. This is true both in terms of the user agent's implementation as well as website adoption.
> 
> If putting together a prototype would help move things along, I'm happy to do so in Chromium.
>  
>> So, for starters it’s OK to start the discussion here. ... When (and if) things seem to be converging (on a list of requirements and 1 or more proposals) then we can have the discussion again about what working group should handle this: httpbis, uta or a new working group.
> 
> Thanks, this seems like very reasonable advice!
>  
>> But start with showing that there is interest.
> 
> I've talked with folks at Mozilla who seemed interested in both proposals. Indeed, "first-party cookies" is, in many ways, an adaptation of Mark Goodwin's "samedomain cookies" proposal: http://people.mozilla.org/~mgoodwin/SameDomain/samedomain-latest.txt. I suspect he'd be interested in implementing something in Gecko. (+mgoodwin
> 
> On Sat, Nov 22, 2014 at 1:38 AM, Martin Thomson <martin.thomson@gmail.com> wrote:
>> The first-party concept is interesting and
>> potentially valuable, assuming the other issues aren't resolved.
> 
> Which other issues? Naively, it seems useful in and of itself.
>  
>> The list also only surveyed work that has been submitted to the IETF; the
>> macaroon concept is another point of interest in the space.
>  
> It's also significantly more complex than these proposals. :)
> 
>> I have reservations about defining a mechanism that fails open without
>> any way of learning that this has happened.  Mike and I discussed some
>> amendments that might work.
> 
> There's certainly more discussion to be had on this topic in particular, and I do appreciate your input so far. Since there seems to be at least vague interest on this list, I'll hop back to that other thread to pick things up again.
>  
>> Given the narrow locus of effort in this area, I think that a new,
>> short-lived working group is the best way to deal with this.  Building
>> something (anything) that helps with this cookie mess would be great.
> 
> I'm a little worried that spinning up a working group will run counter to these proposal's simplicity. Perhaps this is my lack of IETF experience talking, but I've certainly seen problems grow to fill the space allotted to them in other areas. If we spin up a working group, I'm worried we'd get lost in (useful!) discussions about what we should have _instead_ of cookies, rather than how we could implement something which serves the uses cases these two proposals highlight.
> 
> But if tightly scoped WGs work well in this forum, then I'm all for it!
> 
> -mike 
> 
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 24 November 2014 23:34:17 UTC