W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2019

Re: Formalizing the HTTP State Tokens proposal.

From: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Thu, 28 Mar 2019 21:40:46 +0200
To: Mike West <mkwst@google.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20190328194046.GA26916@LK-Perkele-VII>
On Thu, Mar 28, 2019 at 11:14:22AM +0100, Mike West wrote:
> Way back in August, 2018, I started a thread [1] on a proposal to introduce
> a client-controlled, origin-bound, HTTPS-only session identifier for
> network-level state management [2].
> 
> I wasn't able to make it to IETF104, but I will be attending the HTTP
> workshop next week. In the hopes of sparking some conversations there, I've
> formalized the proposal as
> https://tools.ietf.org/html/draft-west-http-state-tokens-00, clarifying
> some pieces based on y'all's earlier feedback. I'm looking forward to your
> feedback on, either here on the list, or at the workshop next week.

I see some issues:

- This mechanism looks to lack server opt-in, which runs into issues
  with EU "cookie law". Specifically, it does not seem to be possible
  to use this for any purpose without triggering disclaimer
  requirements. Whereas there are still usecases cookies that do not
  necressarily do so (for example, login).

- The request signing mechansims looks like one that would break if
  there is some CDN or reverse proxy in the path that adds a header
  or a few (sometimes with some non-standard one in the mix). Or is it
  expected that all CDNs or reverse proxies on path for application
  using this mechanism can rewrite the MAC?


-Ilari
Received on Tuesday, 2 April 2019 16:51:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:34 UTC