New Cookie related Internet Drafts from Yngve N. Pettersen on 2006-03-20 (ietf-http-wg@w3.org from January to March 2006)

From: Yngve N. Pettersen <yngve@opera.com>
Date: Mon, 20 Mar 2006 13:27:54 +0100
To: ietf-http-wg@w3.org
Message-ID: <op.s6powsylkvaitl@lessa-ii.ietf65.org>
Hello all,

I have submitted two Internet Drafts concerning the problem of knowing  
whether or not the target domain of a cookie is a valid domain or TLD-like  
domain (like co.uk)

The drafts describe 1) Opera's current "rule of thumb" implementation that  
uses DNS in an attempt to confirm the validity of a domain, and 2) a  
proposed new HTTP based lookup service that returns a TLD registry's own  
specification of their domain structure, this specification can then be  
used to validate a cookie domain, an dmay also be used for other purposes.


-----------------------

Title: Enhanced validation of domains for HTTP State Management Cookies  
using DNS

Author(s): Y. Pettersen
Filename: draft-pettersen-dns-cookie-validate-00.txt
Pages: 10
Date: 2006-3-1

HTTP State Management Cookies are used for a wide variety of tasks on
the Internet, from preference handling to user identification.  An
important privacy and security feature of cookies is that their
information can only be sent to a servers in a limited namespace, the
domain.

The variation of domain structures that are in use by domain name
registries, especially the country code Top Level Domains (ccTLD)
namespaces, makes it difficult to determine what is a valid domain, e.g.  
example.co.uk and example.no, which cookies should be permitted for, and a  
TLD-like domain (subTLDs) like co.uk where cookies should not be permitted.

This document specifies an imperfect method using DNS name lookups for
cookie domains to determine if cookies can be permitted for that domain,  
based on the assumption that most subTLD domains will not have an IP  
address assigned to them, while most legitimate services that share  
cookies among multiple servers will have an IP address for their domain  
name to make the user's navigation easier by omitting the customary "www"  
prefix.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-dns-cookie-validate-00.txt

-----------------------

Title: The TLD Subdomain Structure Protocol and its use for Cookie domain  
validation

Author(s): Y. Pettersen
Filename: draft-pettersen-subtld-structure-00.txt
Pages: 11
Date: 2006-3-1

This document defines a protocol that can be used by a client to
discover how a Top Level Domain (TLD) is organized in terms of what
subdomains are used to place closely related but independent domains,
e.g. commercial domains in country code TLDs (ccTLD) like .uk are placed  
in the .co.uk subTLD domain.

This information is then used to limit which domains an Internet service  
can set cookies for, strengthening the rules already defined by the cookie  
specifications.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-subtld-structure-00.txt

-------------------------

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
Received on Monday, 20 March 2006 19:28:23 UTC