W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Cookies and Pervasive Monitoring

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 22 Feb 2016 15:27:44 +1100
Message-Id: <3BB48C48-3D18-45E4-87B1-483DE33C1DAA@mnot.net>
To: HTTP WG <ietf-http-wg@w3.org>
As part of revising the Cookie spec <https://tools.ietf.org/html/rfc6265>, we need to consider the Pervasive Monitoring impact, as per <https://tools.ietf.org/html/rfc7258>:

Those developing IETF specifications need to be able to describe how they have considered PM, and, if the attack is relevant to the work to be published, be able to justify related design decisions.  This does not mean a new "pervasive monitoring considerations" section is needed in IETF documentation.  It means that, if asked, there needs to be a good answer to the question "Is pervasive monitoring relevant to this work and if so, how has it been considered?"

At this point, I'd like people to start thinking about this, because it's pretty clear that long-lived cookies do have the potential for PM impact, particularly on unencrypted connections.

As with other changes to this spec, we'd want what we decide to be actually implemented, so if we see proposals in this space, they'll need to be backed by some expressions of intent to implement before we adopt them.


Mark Nottingham   https://www.mnot.net/
Received on Monday, 22 February 2016 04:28:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC