Re: Report on preliminary decision on TLS 1.3 and client auth

In message <>, Yoav Nir writes:
>> On Sep 25, 2015, at 12:18 PM, Poul-Henning Kamp <> wrote:
>> --------
>> In message <>, Amos Jeffries writes:
>>> Ah. Sorry I seem to have misunderstood yoru meaning of "provides the
>>> proof that a server needs to regard the entire session to be authentic"
>>> to mean the cert was connection-wide.
>> I would like to remind people that, contrary to widespread assumptions,
>> HTTP doesn't have "sessions".
>> Sessions are typically implemented by mistaking (groups of) connections
>> for a session, or by means of opaque unstandardized cookies.
>Why do you call cookies unstandardized?

Cookies are standardized just fine.

What I tried to say above is that we don't know which cookie
identifies the session.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Friday, 25 September 2015 10:15:13 UTC