- From: Mike West <mkwst@google.com>
- Date: Mon, 27 Aug 2018 11:48:52 +0200
- To: rigo@w3.org
- Cc: Kari hurtta <hurtta-ietf@elmme-mailer.org>, HTTP Working Group <ietf-http-wg@w3.org>, squid3@treenet.co.nz
- Message-ID: <CAKXHy=fZfHeaTG8UdJ3Y7DZa900NyvQRGSzhD1=JEsAzdtO5ig@mail.gmail.com>
On Mon, Aug 27, 2018 at 11:38 AM Rigo Wenning <rigo@w3.org> wrote: > On Monday, August 27, 2018 11:19:06 AM CEST Mike West wrote: > > I believe Rigo's proposal in > > https://github.com/mikewest/http-state-tokens/pull/2 is to bind > > multiple purposes to a single identifier. I think we'd be better > > served if the user agent minted distinct identifiers for a (very) > > small number of purposes whose intentions are publicly described. > > Either way, there's room for healthy debate on the topic. > > My suggestion was actually the contrary: To bind identifiers to a > certain class of purposes (one purpose). > Then I misunderstood your PR, apologies. The problem with purposes is that there is an infinite number of > them. But we also have purposes that are relatively common. I want > to cover those first. Even though this sounds like multiple purposes > I want to clarify here that this could also mean one identifier per > purpose (or class thereof). > That sounds reasonable to me, with the caveat that because there are an infinite number of purposes with an infinite amount of granularity, I do not want to put user agents in the position of mediating all of them. It makes more sense to me for user agents to circumscribe a set of purposes in a general topic area ("authentication" and "advertising" both seem like reasonable levels of granularity to me), and mint distinct tokens for each. It makes much less sense to me for user agents to accept arbitrary purposes and mint distinct tokens for each; that's basically the status quo, with the minor change that we'd have renamed "cookie's name" to "token's purpose". > Because IF we have a purpose stated in a specification or > description, using that identifier for a different purpose (e.g. > cross-site tracking) is then triggering the potential for legal > actions in most countries except in the US. > I'll defer to lawyers on legal questions, and note instead that providing a well-lit path gives user agents the ability to put fences in place that keep folks on said path. -mike
Received on Monday, 27 August 2018 09:49:27 UTC