Re: Origin cookies, and First-party cookies.

Hi, Mike

I believe you are underestimating the abilities of a working group to pick and bike-shed. Your proposal may look straightforward to you, but by the time everyone’s had their say, a lot will have been said.

When we tried to make a “what’s wrong with cookies” list in WebSec, we had a really long list, because different people had different things that bothered them: the bearer token nature of them, the scoping, the irrevocability, the fact that it gets transmitted again and again.

Another issue that makes this a risky proposition to any (existing or new) working group is that there are multiple proposals out there. This very working group spent quite a few months picking among different proposals for a starting point for HTTP/2, even though SPDY was there first and had an implementation in the field. Having a prototype is a good thing in that it helps ADs and participants know that a specification has a decent chance of getting deployed. Interest from browser vendors also goes a long way towards that goal. 

For now, there has been a weak response to your message. There are some people who are not following httpbis closely who might also be interested. To make this a work item (for this or a new WG) we’d have to show several things:
 - A clearly defined problem (no need for a draft)
 - A clear and concise set of requirements (this is where people might come up with their own pet requirements)
 - Interest from potential implementers (I think we got that)
 - A direction for a solution (hopefully with at least a rough consensus that this is the correct direction)
 - People willing to edit a document for the working group (you?)
 - People willing to review. There is nothing so frustrating as a WG session where the chair asks “who has read the document” and only the document authors raise their hands.

So assuming we can get at least the first 4 of these, then there’s something to talk about with our AD.

Yoav

Received on Monday, 24 November 2014 22:47:33 UTC