- From: Yngve Nysaeter Pettersen <yngve@opera.com>
- Date: Tue, 16 Jan 2007 19:25:22 +0100
- To: ietf-http-wg@w3.org
Hi,
In October I released the Internet Drafts listed below, and announced them
here in the HTTP WG list <URL:
http://lists.w3.org/Archives/Public/ietf-http-wg/2006OctDec/0116 >.
I'd like to ask the HTTP community to consider the problems described in
the drafts, the possible solutions that are proposed, and whether or not
there are alternative solutions that will work better.
---------------------------------------
Title : The TLD Subdomain Structure Protocol and its
use for Cookie domain validation
Author(s) : Y. Pettersen
Filename : draft-pettersen-subtld-structure-01.txt
Pages : 14
Date : 2006-10-26
This document defines a protocol and specification format that can be
used by a client to discover how a Top Level Domain (TLD) is
organized in terms of what subdomains are used to place closely
related but independent domains, e.g. commercial domains in country
code TLDs (ccTLD) like .uk are placed in the registry-like .co.uk
subTLD domain. This information is then used to limit which domains
an Internet service can set cookies for, strengthening the rules
already defined by the cookie specifications.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-subtld-structure-01.txt
---------------------------------------
Title : Enhanced validation of domains for HTTP State
Management Cookies using DNS
Author(s) : Y. Pettersen
Filename : draft-pettersen-dns-cookie-validate-01.txt
Pages : 13
Date : 2006-10-26
HTTP State Management Cookies are used for a wide variety of tasks on
the Internet, from preference handling to user identification. An
important privacy and security feature of cookies is that their
information can only be sent to a servers in a limited namespace, the
domain.
The variation of domain structures that are in use by domain name
registries, especially the country code Top Level Domains (ccTLD)
namespaces, makes it difficult to determine what is a valid domain,
e.g. example.co.uk and example.no, which cookies should be permitted
for, and a registry-like domain (subTLDs) like co.uk where cookies
should not be permitted.
This document specifies an imperfect method using DNS name lookups
for cookie domains to determine if cookies can be permitted for that
domain, based on the assumption that most subTLD domains will not
have an IP address assigned to them, while most legitimate services
that share cookies among multiple servers will have an IP address for
their domain name to make the user's navigation easier by omitting
the customary "www" prefix.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-dns-cookie-validate-01.txt
---------------------------------------
Title : HTTP State Management Mechanism v2
Author(s) : Y. Pettersen
Filename : draft-pettersen-cookie-v2-00.txt
Pages : 30
Date : 2006-10-18
This document specifies a way to create a stateful session with
Hypertext Transfer Protocol (HTTP) requests and responses. It
describes three headers, Cookie, Cookie2, and Set-Cookie2, which
carry state information between participating origin servers and user
agents. The method described here differs from both Netscape's
Cookie proposal [Netscape], and [RFC2965], but it can, provided some
requirements are met, interoperate with HTTP/1.1 user agents that use
Netscape's method. (See the HISTORICAL section.)
This document defines new rules for how cookies can be shared between
servers within a domain. These new rules are intended to address
security and privacy concerns that are difficult to counter for
clients implementing Netscape's proposed rules or the rules specified
by RFC 2965.
This document reflects implementation experience with RFC 2965 and
obsoletes it.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-00.txt
---------------------------------------
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve@opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 24 16 42 60 Fax: +47 24 16 40 01
********************************************************************
Received on Tuesday, 16 January 2007 18:28:20 UTC