- From: Yaron Goland (Exchange) <yarong@exchange.microsoft.com>
- Date: Fri, 25 Jun 1999 03:08:10 +0100 (BST)
- To: "'ietf@ietf.org'" <ietf@ietf.org>
- Cc: http-wg@hplb.hpl.hp.com
The following comments are regarding: http://www.ietf.org/internet-drafts/draft-ietf-http-state-man-mec-10.txt FIRST OFF: I would like to congratulate Dave Kristol. Although, as I discuss below, I have significant reservations about this specification Dave has spent an enormous amount of time trying to be reasonable. He has worked very hard to put in text that actually addresses the issues, isn't wish washy but at the same time avoids the strident tone that has often entered into the cookie debate. In addition Dave has done a really good job of addressing the various problems with the early specification and coming up with the most reasonable solutions one can probably expect given the circumstances. That having been said.... =) OBJECTION: The key failure in cookie security is authentication, the ability to know exactly with whom you are dealing. As we all know, domains can not provide this information which is the core of the cookie security problem. It will obviously take some time for a proper cookie authentication mechanism to be agreed upon and it is quite reasonable for people to seek some sort of interim solution which will provide at least some protection in the meantime. I do not believe that draft-ietf-http-state-man-mec-10.txt provides this interim solution. While the draft does provide some improvements in regards to the handling of cookies I personally do not believe that those improvements are sufficient to merit changing the existing client and server infrastructure. As such I believe that this draft should be blocked from progressing to proposed standard status until it can demonstrate a sufficiently high level of security to either qualify as a robust interim measure or until it provides a workable solution to the underlying problem. I realize that such judgments are completely subjective and am uncomfortable making the previous argument. I prefer arguments based on indisputable facts, but that doesn't appear possible here. On the positive side the specification is well written and certainly achieves its modest goals. No great harm will come to the internet community through its publication. I do believe, however, that it would be unfortunate for the IETF to lend its credibility to this specification in the specification's current state. GENERAL COMMENTS: I did not find internationalization considerations for cookie comments. Shouldn't they be in UTF-8? If no version is specified in a Set-Cookie2 header is one to assume that it is version 1? If one always returns the version number exactly then servers have no idea if the client understood any enhanced semantics associated with a greater, but still backwards compatible, version. Shouldn't the client only return the highest version number it supports? NIT: In section 6 there is mention of 'speculating'. I would suggest rephrasing with the phrase "provide guidance." TYPOS: In section 2, 6th paragraph, the sentence begins "ost names can be" Section 4.2.3 talks about TTP/1.1 and TTP/1.0 servers. I think there is a return missing after the title for section 4.3.5. There is a "owever" in section 4.3.5. Section 6 contains a "ere". I think a return got lost after the title of section 6.3.1. > -----Original Message----- > From: The IESG [mailto:iesg-secretary@ietf.org] > Sent: Wed, June 23, 1999 2:00 PM > Cc: http-wg@hplb.hpl.hp.com > Subject: Last Call: Applicability Statement for HTTP State > Management to > BCP > > > > The IESG has received a request from the IETF Steering Group Working > Group to consider Applicability Statement for HTTP State Management > <draft-iesg-http-cookies-00.txt> as a BCP. > > The IESG will also consider HTTP State Management Mechanism > <draft-ietf-http-state-man-mec-10.txt> as a Proposed Standard. > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send any comments to the > iesg@ietf.org or ietf@ietf.org mailing lists by July 23, 1999. > > Files can be obtained via > http://www.ietf.org/internet-drafts/draft-iesg-http-cookies-00.txt > http://www.ietf.org/internet-drafts/draft-ietf-http-state-man- mec-10.txt
Received on Wednesday, 30 June 1999 04:09:52 UTC