- From: Yaron Goland <yarong@microsoft.com>
- Date: Sat, 22 Mar 1997 19:46:11 -0800
- To: "'hedlund@best.com'" <hedlund@best.com>
- Cc: Dave Kristol <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
The domain restriction is not a protection of privacy, it is a prohibition against the right of companies to structure their Internet use as they see fit. The free market will do a better job of protecting user's rights then a domain name restriction. If someone is abusing cookies, let the press scream it out. If we can implement technical protections to prevent the abuse of cookies, then let us do so. But the domain restriction provides no real protection against the abuse of cookies while preventing the legitimate behavior of companies. For example, a company which has a different second tier website for each of its products is now prevented from sharing cookies between those sites. There is absolutely no reason to prevent this behavior. You are trying to establish a relationship between domain names and organizational responsibility. However the domain name system was not set up to provide this connection, therefore relying upon it is unreasonable. The domain solution provides no protection against the unauthorized sharing of data, it only makes it slightly inconvenient, but it does prevent legitimate activity. I would argue that the cure is worse than the disease and the domain restriction should be removed. I am not arguing that the domain attribute should be removed, only the restriction on what cookie servers may put in it. Furthermore, putting in place a solution we know will break, in the case of coming use of top level domains, is yet another reason to remove this section of spec. If this faulty behavior can not be remedied then the spec should not be allowed to move on in the standards process. Yaron > -----Original Message----- > From: M. Hedlund [SMTP:hedlund@best.com] > Sent: Saturday, March 22, 1997 5:37 PM > To: Yaron Goland > Cc: Dave Kristol; http-wg@cuckoo.hpl.hp.com > Subject: RE: Issues with the cookie draft > > > On Sat, 22 Mar 1997, Yaron Goland wrote: > > We all agree that the spec prevents completely legitimate behavior. > Thus > > demonstrating there is a flaw in the spec. > > No, at least two of us agree that the spec fails to enable desirable > behavior. That doesn't mean there's a flaw in the spec. In this > case, it > means that no standard exists for determining the organizational unit > in a > domain name -- a prerequisite, as far as I can see, for the behavior > you > want. If you want to point fingers, point them at the domain name > standard. The cookie spec does the best it can with the information > it is > given. If you disagree, propose an improvement -- which removing > 'domain' > is not. > > With regards to private top-level domains, we can crumble that cookie > when > we come to it (if you'll forgive me). I agree that the situation is > just > going to get worse as we start litigating the nature of domain name > registries. However, I have yet to hear how you intend to improve the > spec > in light of your predictions. Do you really think removing the domain > restriction altogether improves the spec? I would argue that doing so > would _create_ a serious flaw where none exists today. > > M. Hedlund <hedlund@best.com> > > > >
Received on Saturday, 22 March 1997 19:47:58 UTC