- From: Yaron Goland <yarong@microsoft.com>
- Date: Sat, 11 Oct 1997 19:55:15 -0700
- To: "'David W. Morris'" <dwm@xpasc.com>
- Cc: Dave Kristol <dmk@research.bell-labs.com>, http-state@lists.research.bell-labs.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I understand the concerns regarding unsigned cookies but at the same time I do not believe we can create restrictions that are not arbitrary. For example, the two hierarchy level restriction. As such I believe the best we can do is state "You want security? Use a signature." How many systems do you know that go out of there to specify security in situations where the user intentionally chooses not to use any security? Yaron > -----Original Message----- > From: David W. Morris [SMTP:dwm@xpasc.com] > Sent: Saturday, October 11, 1997 12:32 PM > To: Yaron Goland > Cc: Dave Kristol; http-state@lists.research.bell-labs.com; > http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com; > http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com; http-wg@cuckoo.hpl.hp.com > Subject: RE: making progress on cookies > > > > On Fri, 10 Oct 1997, Yaron Goland wrote: > > > An alternative proposal is to take the signed cookie draft and > combine > > it with the protocol draft and put that up as the standard. That way > we > > don't have to argue over heuristics which prevent legitimate > > functionality and instead use a policy based system backed up with > > authentication. > > This alternative would not be a complete solution since it would drop > the default specification for cookie privacy when the cookie presented > was not signed. > > I have no problem with an alternative which includes completing work > on the signed cookie proposal but I see that as additional > specification > and not replacing some form of the existing privacy specifications. > > Dave Morris
Received on Saturday, 11 October 1997 19:58:18 UTC