- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 21 Nov 2014 14:38:25 -1000
- To: Yoav Nir <ynir.ietf@gmail.com>
- Cc: Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
On 21 November 2014 10:49, Yoav Nir <ynir.ietf@gmail.com> wrote: > We tried to get a “cookie replacement” discussion going at websec. Here’s a > good summary of the proposals by Trevor Perrin: > http://www.ietf.org/mail-archive/web/websec/current/msg01719.html The first of these proposals (and token ID) are actually already on trevor's list. Origin cookies are an evolution of cake; token ID is the channel ID evolved. The first-party concept is interesting and potentially valuable, assuming the other issues aren't resolved. The list also only surveyed work that has been submitted to the IETF; the macaroon concept is another point of interest in the space. I have reservations about defining a mechanism that fails open without any way of learning that this has happened. Mike and I discussed some amendments that might work. Given the narrow locus of effort in this area, I think that a new, short-lived working group is the best way to deal with this. Building something (anything) that helps with this cookie mess would be great.
Received on Saturday, 22 November 2014 00:38:52 UTC