- From: Ted Hardie <hardie@thornhill.arc.nasa.gov>
- Date: Fri, 4 Apr 1997 11:36:37 -0800
- To: "Jaye, Dan" <DJaye@engagetech.com>, "'http-wg@cuckoo.hpl.hp.com\ '" <http-wg@cuckoo.hpl.hp.com>
- Cc: "'ahyde@focalink.com'" <ahyde@focalink.com>, "'rodger@worldnet.atg.net\ '" <rodger@worldnet.atg.net>
I certainly hope we can discuss this in Memphis, whether as part of the agenda for the working group or in a bar bof. My concern is that this proposal seems to address a question not basic to the concerns about the restrictions on domain. In short, it seems to heighten the ability of a server sending a cookie to verify its identity, without doing a whole lot to explicate the relationship between the cookie issuer and content provider. I can see ways in which this mechanism could be used, but I'm not sure that my examples are part of your intended design. Your base design seems to assume that Certifying Authorities will emerge which will certify not just an organization's identity but its adherence to an established set of guidelines on the use of the data which it receives. This seems to combine the x509 certificate with something which would require a much bigger process. Not ISO 9000, maybe, but a significant amount of work, as it involves verifying internal processes--not just proofs of identity. The emergence os trustworthy CA's willing to take that on seems problematic. There may be a way around that, by drawing on the existing relationships and setting things up so that the assurance of certification was inherent in the content-provider/cookie issuer relationship. If, for example, we imagine that cookie issuers make the content-provider the cookie-issuer's certifying authority for a particular cookie, then allowing cookies when the certifying authority domain matches the content-provider makes a certain amount of sense. Doing so, however, would require a whole new set of CA's, the acceptance of which in the cookie context should probably not be extended to other contexts. It also requires a method of allowing the UA to display this new relationship. To rephrase this, I don't think users have a problem believing that "tripleclick" is who it says it is when they receive a cookie from "tripleclick.net". I think what they need to see is how tripleclick relates to the current and other content providers. Using the inter-relationships among x509 certifying authorities may be one way of getting the relationships specified, but it is a at least moderately complex way that still needs to be made visible to the end user. regards, Ted Hardie NASA NIC NB: NASA isn't confused about this, I am.
Received on Friday, 4 April 1997 11:39:14 UTC