- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Thu, 28 Mar 2019 21:40:46 +0200
- To: Mike West <mkwst@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Mar 28, 2019 at 11:14:22AM +0100, Mike West wrote: > Way back in August, 2018, I started a thread [1] on a proposal to introduce > a client-controlled, origin-bound, HTTPS-only session identifier for > network-level state management [2]. > > I wasn't able to make it to IETF104, but I will be attending the HTTP > workshop next week. In the hopes of sparking some conversations there, I've > formalized the proposal as > https://tools.ietf.org/html/draft-west-http-state-tokens-00, clarifying > some pieces based on y'all's earlier feedback. I'm looking forward to your > feedback on, either here on the list, or at the workshop next week. I see some issues: - This mechanism looks to lack server opt-in, which runs into issues with EU "cookie law". Specifically, it does not seem to be possible to use this for any purpose without triggering disclaimer requirements. Whereas there are still usecases cookies that do not necressarily do so (for example, login). - The request signing mechansims looks like one that would break if there is some CDN or reverse proxy in the path that adds a header or a few (sometimes with some non-standard one in the mix). Or is it expected that all CDNs or reverse proxies on path for application using this mechanism can rewrite the MAC? -Ilari
Received on Tuesday, 2 April 2019 16:51:07 UTC