Re: Origin cookies, and First-party cookies.

Hi, Mike

Not Mark, but I think I can give you some info.

We tried to get a “cookie replacement” discussion going at websec. Here’s a good summary of the proposals by Trevor Perrin:
http://www.ietf.org/mail-archive/web/websec/current/msg01719.html <http://www.ietf.org/mail-archive/web/websec/current/msg01719.html>

You can add your ideas to the list, as well as Andrei Popov’s  Token Binding <http://www.ietf.org/proceedings/91/slides/slides-91-uta-2.pdf>

So where’s the place to discuss this?  WebSec as a working group is closing down in a couple of months. The mailing list might stay in place if there’s meaningful discussion going on there. Currently, there is not. 

This mailing list is for discussing current work items for httpbis: HTTP/2, Alt-Svc, etc.  A little discussion of related “homeless” topics is usually tolerated as long as there is a small amount of traffic that does not distract people from the on-topic discussions.

Your proposal (and Andrei’s) have one important thing that the authors of proposals in the previous round didn’t: the people behind them (you and Andrei) actually work on browsers, so your proposals might get implemented. That’s a good start.

So, for starters it’s OK to start the discussion here. If it picks up steam, then you can have a conversation with Mark and Barry (our area director) about whether this activity should continue on this mailing list, move to some other mailing list (token binding is currently discussed in UTA) or start its own mailing list. When (and if) things seem to be converging (on a list of requirements and 1 or more proposals) then we can have the discussion again about what working group should handle this: httpbis, uta or a new working group.

But start with showing that there is interest.

Hope this helps

Yoav

> On Nov 21, 2014, at 6:57 PM, Mike West <mkwst@google.com> wrote:
> 
> Hello, ietf-http-wg folks!
> 
> I posted two cookie-related drafts before the HNL meeting, which I hope some of you took a few moments to skim through: origin cookies[1] (an update of Adam Barth's "Cake"), and first-party cookies[2] (cookies which are sent iff the top-level browsing context would have received them).
> 
> Did you skim through the proposals? Do you have opinions? I hope the answer to both questions is yes! :)
> 
> It's not clear to me whether this group is the right place to work on those concepts, but it seems like a good place to start. Also, I have to admit that I'm an IETF newbie; I don't know the process or procedure for deciding this kind of thing. Mark, can you help out a bit?
> 
> Thanks!
> 
> [1]: https://tools.ietf.org/html/draft-west-origin-cookies-00 <https://tools.ietf.org/html/draft-west-origin-cookies-00>
> [2]: https://tools.ietf.org/html/draft-west-first-party-cookies-00 <https://tools.ietf.org/html/draft-west-first-party-cookies-00>
> 
> --
> Mike West <mkwst@google.com <mailto:mkwst@google.com>>
> Google+: https://mkw.st/+ <https://mkw.st/+>, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 21 November 2014 20:50:09 UTC