Re: FW: revised trusted cookie spec from Larry Masinter on 1997-08-19 (ietf-http-wg@w3.org from July to September 1997)

From: Larry Masinter <masinter@parc.xerox.com>
Date: Tue, 19 Aug 1997 13:33:33 PDT
To: Foteos Macrides <MACRIDES@sci.wfbr.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-state@lists.research.bell-labs.com
Message-Id: <33FA031D.3BB9D1A5@parc.xerox.com>

>        I do not know what was "the primary motivation for initially
> disallowing cookies", nor was aware that anyone or anything associated
> with the IETF had disallowed them.  Perhaps more germaine, I do not
> know what were the primary motivations for developing RFC 2109, nor
> what was discussed during the bulk of its development, nor have any
> way to access and review those discussions.  That all was done by
> a "sub-group" without archiving of its discussions.  This matter
> did not get fully "on-track" w.r.t to IETF standardization principles
> until discussions about fixing the bugs in RFC 2109 had commenced,
> and the more formally structured HTTP-State sub-group with a formal,
> reliably archived mail-list were "implemented".

RFC 2109 was a product of the HTTP working group. As with all working
group products, someone or some group actually will go off and write
a specification, and then the working group will review the
specification.
The review is open. What happens in the minds or conversations among
those who develop the specification is not. 

Section 4.3.2 "Rejecting Cookies" and 4.3.3 "Cookie Management" talk
directly about the motivation for the features therein. 4.3.2 says
"To prevent possible security or privacy violations", 4.3.3 says 
"Privacy considerations dictate that the user have considerable
control over cookie management." No other rationale is given.
The RFC itself is the best authority for what the "primary motiviation"
is for rejecting cookies, and it says so clearly. (I said 'disallowing'
but should have said 'rejecting', and perhaps my miswording is
the source of your confusion.)

In any case, the RFC itself is pretty self-explanatory.

>        I do know, and if need be could dig up the archived messages
> upon which I base my "knowledge", that the arguments for commentURL
> which led to it's inclusion in draft-ietf-http-state-man-mec-03.txt
> where not restricted to concerns about privacy, nor to the special
> case in which a user might wish to read it before accepting a cookie.

Yes, the arguments for "commentURL" were as a response to difficulties
with "Comment" in 2109. Personally, I'd rather see "Comment" removed
than to continue to add capabilities to it.

I'd stop "obstructing" this, except that a room full of people in Munich
seemed to nod when I suggested changing direction here.

Larry

Received on Tuesday, 19 August 1997 13:36:27 UTC