- From: Dave Kristol <dmk@research.bell-labs.com>
- Date: Mon, 15 Dec 97 17:26:35 EST
- To: http-state@lists.research.bell-labs.com
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At the IETF meeting I promised to send out a summary of where things stand and where things ought to go to nail down a revised HTTP State Management. This is it. Please keep the discussion on http-state@lists.research.bell-labs.com. (See <http://www.bell-labs.com/mailing-lists/http-state/>.) I'm sending this message to http-wg only as a courtesy. Step 1: Nail down the "wire protocol". At the IETF meeting I believe we narrowed down the outstanding issue(s) to the domain-matching rules. There are two sub-problems: a) flat namespaces in intranets; and b) using the n-dot rule to restrict the set of servers to which a cookie can be returned. I believe we actually resolved the flat namespace problem. The resolution is that, if the Domain attribute is omitted in Set-Cookie2, the client is restricted to return the cookie only to the server from which it came. That rule applies regardless of the name (and how many dots it contains). That leaves the domain-matching restriction rules to address. Step 2: reach consensus on the "privacy rules" Attendees thought they could arrive at an agreement about the interaction of the (previous) privacy rules and the user interface. The rules for unverifiable transactions, or at least the default user agent setting for them, remain contentious. For now I would like to restrict the discussion "agenda bashing" for Step 1 only. Does anyone believe there are other outstanding issues? Dave Kristol
Received on Monday, 15 December 1997 14:30:49 UTC