Re: draft-ietf-http-state-mgmt-01.txt LAST CALL

Benjamin Franz:
>I hate to rain on your parade - but you can't stop sharing of cookie info
>across cooperating domains. At all.

I am fully aware that there are numerous tricks which cooperating
domains can use to share session info.  I did not claim that the
restriction to single-domain cookies in netscape cookies and in the
state management draft is a good thing because it prevents all

The restriction is a good thing because without it, there would be
built-in cross-server tracking support in each browser, which is
something users do not want.  This is not about providing bullet-proof
privacy protection, this is about the public's perception of whether
their browser comes with standard built-in user tracking support.

>Basically - you can achieve nothing except making me work *slightly*
>harder to share information with a cooperating domain.

You will have to work more than just slightly harder.  And after you
deploy such a system, it will inevitably be discovered, and it will
result in bad publicity not just for you but for the entire web.  But
at least this bad publicity won't involve stories about browser
vendors and the IETF being on your side in the battle over privacy.

Multi-domain cookies would be a browser vendor public relations
disaster waiting to happen.  You can't expect browser vendors to
standardize on the state management draft if multi-domain cookies are

>Benjamin Franz


Received on Saturday, 15 June 1996 06:50:16 UTC