Re: [DNSOP] Public Suffix List from Henrik Nordstrom on 2008-06-11 (ietf-http-wg@w3.org from April to June 2008)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Wed, 11 Jun 2008 13:02:02 +0200
To: Gervase Markham <gerv@mozilla.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, Wes Hardaker <wjhns1@hardakers.net>, dnsop@ietf.org, ietf-http-wg@w3.org
Message-Id: <1213182122.3341.75.camel@henriknordstrom.net>

On ons, 2008-06-11 at 10:10 +0100, Gervase Markham wrote:

> Other list participants were warning about the possibility of people
> abandoning Firefox in droves if there were cookie-related problems
> caused by its use of public suffix list.

If you do this wronly yes.

> You, on the other hand, are
> suggesting that we can just make changes to the way cookies work and
> expect broken sites to fix themselves. These seem to be two
> irreconcilable views of the future.

No. Neither users or sites are completely static in nature.

> Long history and experience has shown us that we can't just break
> people's websites like that.

Sites do break in upgrades. Problems arise if you break too many of them
and neither the site operators of users have an easy way around, or when
they do not understand why things broke. Fortunately the area we are
discussing is fundamentally broken by design, and sites do break today
differently in different browsers.

If you want something positive to come out of discussions like this you
have to have a little more open mind in looking where to find solutions.
There is at least 10 different solutions to the cookie domain problem,
of varying complexity and feasibility. Your proposed list is one, and
not a competely bad one, but very incomplete and too static to be
feasible as "the" solution to this problem. But it's a reasonable
interim step to patch things up while discussing how the actual problem
should be addressed.

In short the cookie problem is threefold:

a) Receivers of a cookie have no way of knowing who issued that cookie.

b) Receivers of cookies have no means of indicating who is allowed to
set cookies for them.

c) Issuers of cookies often want to issue a cookie to multiple domains
all of which is under their administrative control, but often have to
figth the very blunt domain based filters. As result we have many
designs using URL based transfer of the cookie details when moving from
one site to another when better operation would be seen if the cookie
could be managed as a single cookie valid for multiple sites. These "URL
based cookie tunnels" is often installed as a way around broken browser
cookie policies, and I would suspect they often create gaping security
issues from lacking awareness of why these policies even exists.

Regards
Henrik

Received on Wednesday, 11 June 2008 11:06:42 UTC