Fwd: [http-state] WG Review: HTTP State Management Mechanism (httpstate)

• From: Mark Nottingham <mnot@mnot.net>
• Date: Wed, 25 Nov 2009 15:32:18 +1100
• To: public-ietf-w3c <public-ietf-w3c@w3.org>
• Message-Id: <6C0EEF90-1BA5-4E20-8681-634BD02A822E@mnot.net>

FYI.

Begin forwarded message:

> From: IESG Secretary <iesg-secretary@ietf.org>
> Date: 25 November 2009 5:00:02 AM AEDT
> To: ietf-announce@ietf.org
> Cc: http-state@ietf.org
> Subject: [http-state] WG Review: HTTP State Management Mechanism (httpstate)
> Reply-To: iesg@ietf.org
> 
> A new IETF working group has been proposed in the Applications Area.  The
> IESG has not made any determination as yet.  The following draft charter
> was submitted, and is provided for informational purposes only.  Please
> send your comments to the IESG mailing list (iesg@ietf.org) by Tuesday,
> December 1, 2009.
> 
> HTTP State Management Mechanism (httpstate) 
> ---------------------------------------------------
> Current Status: Proposed Working Group
> Last modified: 2009-11-11
> 
> Chair(s):
>  TBD
> 
> Applications Area Director(s):
>  Lisa Dusseault <lisa.dusseault@gmail.com>
>  Alexey Melnikov <alexey.melnikov@isode.com>
> 
> Applications Area Advisor:
>  Lisa Dusseault <lisa.dusseault@gmail.com>
> 
> Mailing Lists: 
>  General Discussion: http-state@ietf.org 
>  To Subscribe: https://www.ietf.org/mailman/listinfo/http-state 
>  Archive: http://www.ietf.org/mail-archive/web/http-
> state/current/maillist.html 
>  Alternative Archive: http://groups.google.com/group/http-state  
> 
> Description of Working Group:  
> 
> The HTTP State Management Mechanism (aka Cookies) was originally 
> created by Netscape Communications in their informal Netscape cookie 
> specification ("cookie_spec.html"), from which formal specifications 
> RFC 2109 and RFC 2965 evolved.  The formal specifications, however, 
> were never fully implemented in practice; RFC 2109, in addition to 
> cookie_spec.html, more closely resemble real-world implementations than 
> RFC 2965, even though RFC 2965 officially obsoletes the former. 
> Compounding the problem are undocumented features (such as HTTPOnly), 
> and varying behaviors among real-world implementations.  
> 
> The working group will create a new RFC that obsoletes RFC 2109 and 
> specifies Cookies as they are actually used in existing implementations 
> and deployments.  Where differences exist among the most commonly used 
> implementations, the working group will document the variations.  Where 
> consensus exists among the most commonly used implementations, the 
> working group will specify the consensus behavior.  
> 
> The working group must not introduce any new syntax or new semantics 
> not already in common use.  
> 
> The working group's specific deliverables are: 
> 
> * A standards-track document that is suitable to supersede RFC 2109 
> (likely based on draft-abarth-cookie) 
> * An informational document cataloguing the differences between major 
> implementations  In doing so, the working group should consider:  
> * cookie_spec.html - Netscape Cookie Specification  
> http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsre
> f/std/cookie_spec.html 
> * RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965)    
> http://tools.ietf.org/html/rfc2109 
> * RFC 2964 - Use of HTTP State Management    
> http://tools.ietf.org/html/rfc2964 
> * RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109)    
> http://tools.ietf.org/html/rfc2965 
> * I-D - HTTP State Management Mechanism v2    
> http://tools.ietf.org/html/draft-pettersen-cookie-v2 
> * I-D - Cookie-based HTTP Authentication    
> http://tools.ietf.org/html/draft-broyer-http-cookie-auth 
> * Widely Implemented - HTTPOnly    
> http://www.owasp.org/index.php/HTTPOnly 
> * Browser Security Handbook - Cookies  
> http://code.google.com/p/browsersec/wiki/Part2#Same-
> origin_policy_for_cookies 
> * HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol    
> http://arxiv.org/PS_cache/cs/pdf/0105/0105018v1.pdf  
> 
> Goals and Milestones: 
> 
> Jan 2010 - Feature-complete Internet-Draft of Cookie specification 
> Mar 2010 - Feature-complete test suite of Cookie specification 
> May 2010 - First fully conforming implementation in a major browser 
> Jul 2010 - Last Call for Cookie specification 
> Sep 2010 - Second fully conforming implementation in a major browser 
> Nov 2010 - Submit Cookie specification to IESG for consideration as 
>           a Draft Standard 
> Nov 2010 - Submit deviation description to IESG for consideration as 
>           Informational
> _______________________________________________
> http-state mailing list
> http-state@ietf.org
> https://www.ietf.org/mailman/listinfo/http-state


--
Mark Nottingham     http://www.mnot.net/

Received on Wednesday, 25 November 2009 04:32:51 UTC