- From: Yngve Nysaeter Pettersen <yngve@opera.com>
- Date: Thu, 12 Jul 2007 19:24:21 +0200
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Hello all, I have posted the following four updated HTTP related draft about problems with cookies and caching, as proposed ways to solve those problems For more background see my articles: http://my.opera.com/yngve/blog/show.dml/267415 http://my.opera.com/yngve/blog/show.dml/388840 http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the ------- Forwarded message ------- From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Subject: I-D ACTION:draft-pettersen-cookie-v2-01.txt Date: Thu, 12 Jul 2007 18:15:14 +0200 A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : HTTP State Management Mechanism v2 Author(s) : Y. Pettersen Filename : draft-pettersen-cookie-v2-01.txt Pages : 31 Date : 2007-7-12 This document specifies a way to create a stateful session with Hypertext Transfer Protocol (HTTP) requests and responses. It describes three HTTP headers, Cookie, Cookie2, and Set-Cookie2, which carry state information between participating origin servers and user agents. The method described here differs from both Netscape's Cookie proposal [Netscape], and [RFC2965], but it can, provided some requirements are met, interoperate with HTTP/1.1 user agents that use Netscape's method. (See the HISTORICAL section.) This document defines new rules for how cookies can be shared between servers within a domain. These new rules are intended to address security and privacy concerns that are difficult to counter for clients implementing Netscape's proposed rules or the rules specified by RFC 2965. This document reflects implementation experience with RFC 2965 and obsoletes it. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-01.txt ------- Forwarded message ------- From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Subject: I-D ACTION:draft-pettersen-dns-cookie-validate-02.txt Date: Thu, 12 Jul 2007 18:15:14 +0200 A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Enhanced validation of domains for HTTP State Management Cookies using DNS Author(s) : Y. Pettersen Filename : draft-pettersen-dns-cookie-validate-02.txt Pages : 14 Date : 2007-7-12 HTTP State Management Cookies are used for a wide variety of tasks on the Internet, from preference handling to user identification. An important privacy and security feature of cookies is that their information can only be sent to a servers in a limited namespace, the domain. The variation of domain structures that are in use by domain name registries, especially the country code Top Level Domains (ccTLD) namespaces, makes it difficult to determine what is a valid domain, e.g. example.co.uk and example.no, which cookies should be permitted for, and a registry-like domain (subTLDs) like co.uk where cookies should not be permitted. This document specifies an imperfect method using DNS name lookups for cookie domains to determine if cookies can be permitted for that domain, based on the assumption that most subTLD domains will not have an IP address assigned to them, while most legitimate services that share cookies among multiple servers will have an IP address for their domain name to make the user's navigation easier by omitting the customary "www" prefix. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-pettersen-dns-cookie-validate-02.txt ------- Forwarded message ------- From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Subject: I-D ACTION:draft-pettersen-subtld-structure-02.txt Date: Thu, 12 Jul 2007 18:15:14 +0200 A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : The TLD Subdomain Structure Protocol and its use for Cookie domain validation Author(s) : Y. Pettersen Filename : draft-pettersen-subtld-structure-02.txt Pages : 14 Date : 2007-7-12 This document defines a protocol and specification format that can be used by a client to discover how a Top Level Domain (TLD) is organized in terms of what subdomains are used to place closely related but independent domains, e.g. commercial domains in country code TLDs (ccTLD) like .uk are placed in the .co.uk subTLD domain. This information is then used to limit which domains an Internet service can set cookies for, strengthening the rules already defined by the cookie specifications. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-pettersen-subtld-structure-02.txt ------- Forwarded message ------- From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Subject: I-D ACTION:draft-pettersen-cache-context-01.txt Date: Thu, 12 Jul 2007 18:15:15 +0200 A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : A context mechanism for controlling caching of HTTP responses Author(s) : Y. Pettersen Filename : draft-pettersen-cache-context-01.txt Pages : 18 Date : 2007-7-12 A common problem for sensitive web services is informing the client, in a reliable fashion, when a password protected resource is no longer valid because the user is logged out of the service. This is, in particular, considered a potential security problem by some sensitive services, such as online banking, when the user navigates the client's history list, which is supposed to display the resource as it was when it was loaded, not as it is at some later point in time. This document presents a method for collecting such sensitive resources into a group, called a "Cache Context", which permits the server to invalidate all the resources belonging in the group either by direct action, or according to some expiration policy. The context can be configured to invalidate not just the resources, but also specific cookies, HTTP authentication credentials and HTTP over TLS session information. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-pettersen-cache-context-01.txt -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Thursday, 12 July 2007 17:23:55 UTC