RE: Issues with the cookie draft

The domain restriction is not a protection of privacy, it is a
prohibition against the right of companies to structure their Internet
use as they see fit. The free market will do a better job of protecting
user's rights then a domain name restriction. If someone is abusing
cookies, let the press scream it out. If we can implement technical
protections to prevent the abuse of cookies, then let us do so. But the
domain restriction provides no real protection against the abuse of
cookies while preventing the legitimate behavior of companies. 

For example, a company which has a different second tier website for
each of its products is now prevented from sharing cookies between those
sites. There is absolutely no reason to prevent this behavior. You are
trying to establish a relationship between domain names and
organizational responsibility. However the domain name system was not
set up to provide this connection, therefore relying upon it is
unreasonable. The domain solution provides no protection against the
unauthorized sharing of data, it only makes it slightly inconvenient,
but it does prevent legitimate activity. I would argue that the cure is
worse than the disease and the domain restriction should be removed. I
am not arguing that the domain attribute should be removed, only the
restriction on what cookie servers may put in it.

Furthermore, putting in place a solution we know will break, in the case
of coming use of top level domains, is yet another reason to remove this
section of spec.

If this faulty behavior can not be remedied then the spec should not be
allowed to move on in the standards process.


> -----Original Message-----
> From:	M. Hedlund []
> Sent:	Saturday, March 22, 1997 5:37 PM
> To:	Yaron Goland
> Cc:	Dave Kristol;
> Subject:	RE: Issues with the cookie draft
> On Sat, 22 Mar 1997, Yaron Goland wrote:
> > We all agree that the spec prevents completely legitimate behavior.
> Thus
> > demonstrating there is a flaw in the spec. 
> No, at least two of us agree that the spec fails to enable desirable
> behavior.  That doesn't mean there's a flaw in the spec.  In this
> case, it
> means that no standard exists for determining the organizational unit
> in a
> domain name -- a prerequisite, as far as I can see, for the behavior
> you
> want.  If you want to point fingers, point them at the domain name
> standard.  The cookie spec does the best it can with the information
> it is
> given.  If you disagree, propose an improvement -- which removing
> 'domain'
> is not.
> With regards to private top-level domains, we can crumble that cookie
> when
> we come to it (if you'll forgive me).  I agree that the situation is
> just
> going to get worse as we start litigating the nature of domain name
> registries.  However, I have yet to hear how you intend to improve the
> spec
> in light of your predictions.  Do you really think removing the domain
> restriction altogether improves the spec?  I would argue that doing so
> would _create_ a serious flaw where none exists today.
> M. Hedlund <>

Received on Saturday, 22 March 1997 19:47:58 UTC