- From: Yaron Goland <yarong@microsoft.com>
- Date: Sat, 22 Mar 1997 16:45:07 -0800
- To: "'hedlund@best.com'" <hedlund@best.com>
- Cc: Dave Kristol <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
We all agree that the spec prevents completely legitimate behavior. Thus demonstrating there is a flaw in the spec. My understanding of IETF procedure is that the onus is now on the spec's editor to either fix the flaw or remove the offending section. Is my understanding inaccurate? BTW, in the near future it is very likely that control over the top level domains will be opened to competition. Thus, in theory at least, the foobar company could purchase a top level domain name of "foobar". Thus their site would be foobar,www.foobar, or what have you. This spec will now prevent them from being able to share cookies across www.foobar and foobar. Yaron PS Anyone who says "Wait a minute, that won't be allowed, you will always have to be at least two levels" doesn't appreciate the unbelievable worth of having your own top level domain name. Can you imagine how much a company would be willing to pay to allow people to just type in their company name on a command line and get their web site? > -----Original Message----- > From: M. Hedlund [SMTP:hedlund@best.com] > Sent: Saturday, March 22, 1997 8:15 AM > To: Yaron Goland > Cc: Dave Kristol; http-wg@cuckoo.hpl.hp.com > Subject: RE: Issues with the cookie draft > > > On Sat, 22 Mar 1997, Yaron Goland wrote: > > I'll come up with a rule to handle your cases as soon as you come up > > with a rule to allow me to share cookies across: > > > > companyname.com > > productname.companyname.com > > version1.productname.companyname.com > > version2.productname.companyname.com > > version3.productname.companyname.com > > > > The current spec prevents sharing cookies amongst those servers. > That > > does not seem terribly reasonable. > > I agree that it would be desirable to allow this functionality, and I > concede that we as a group were not able to come up with such a rule > (which > I think Lou Montulli also raised as desirable in some cases). My > point > about arbitrariness was that we didn't find a way to determine what > was a > company/organization name versus what was a "top"-level domain -- in > other > words, the rules that would satisfy the above cases would necessarily > fail > to satisfy the cases I listed. > > Since one domain-matching method didn't arise to cover both sets of > cases, > we decided in favor of the more conservative method -- the one that at > least made a strong attempt to protect users from cookie broadcasting. > Let > me rephrase my challenge: given that we (you and I, at least) seem to > agree > that one organizational unit should have the ability to use cookies > across > its internal domains, can you propose a domain matching rule that > allows > that feature _without_ creating a cookie-broadcast situation (where a > cookie is available to servers outside of the organizational unit)? > > M. Hedlund <hedlund@best.com> > >
Received on Saturday, 22 March 1997 16:47:55 UTC