- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Wed, 15 Aug 2018 23:20:00 +0100
- To: Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <94a49b45-c84d-4067-9458-404f1515ffd1@cs.tcd.ie>
Hiya, On 14/08/18 11:38, Mike West wrote: > Hey folks, > > https://github.com/mikewest/http-state-tokens suggests that we should > introduce a client-controlled, origin-bound, HTTPS-only session identifier > for network-level state management. And eventually deprecate cookies. > > I think there's a conversation here worth having, and this group has > thought a lot about the space over the last decade or two. I'd appreciate > y'all's feedback, both about the problems the document discusses with > regard to cookies as they exist today, and about the sketchy proposal it > advances about managing HTTP state in the future. I'd be very keen to see HTTP state management become more privacy friendly, but I don't see how this moves us in that direction tbh. Be happy to be wrong though. Things that make me think that include: - new unique IDs for clients seems like a bad plan (64 bits seems way too many from a re-identification POV), the idea of the web UA just automatically spewing those out seems particularly misdirected, if that is the idea - I don't see how this'd incent web UAs nor web servers to behave in more privacy friendly ways, at best it seems neutral That said, I do support discussing these ideas, just not (what I think is) this particular less-baked plan in it's as-is state. S. > > Thanks! > > -mike >
Attachments
- application/pgp-keys attachment: 0x5AB2FAF17B172BEA.asc
Received on Wednesday, 15 August 2018 22:20:32 UTC