Re: 'HTTP State Management Mechanism' to Proposed Standard from =JeffH on 2011-03-03 (www-tag@w3.org from March 2011)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Thu, 03 Mar 2011 14:11:21 -0800
To: IETF HTTP State WG <http-state@ietf.org>, Internet Architecture Board <iab@iab.org>, www-tag@w3.org
CC: httpstate chair <httpstate-chairs@tools.ietf.org>, Adam Barth <ietf@adambarth.com>, Peter Saint-Andre <stpeter@stpeter.im>, Bil Corry <bil@corry.biz>
Message-ID: <4D701209.9090008@KingsMountain.com>

Mea culpa :(

I relied on my obviously faulty memory this morning in my haste rather than 
going back (only 2+ yrs ;) and reviewing mailing list archives, and so didn't 
recall that Bil was instrumental in the creation of this effort.

Many thanks to Bil for instigating this effort. Here's something he wrote wrt 
the history of this recent edition of the http-state working group..

   "A bit of history on this effort, it was well known within the IETF 
community that the supposed "official" cookie specification (RFC2965) was 
out-of-sync with how browsers were actually using cookies -- the browser 
vendors never implemented RFC2965 (except Opera).  Anyone wanting to consume or 
send cookie headers had to reverse engineer how the browsers were actually 
doing it as there wasn't (until now) a specification an implementer could use 
for reference.  This lead to a variety of divergence on edge-cases for cookies 
within the implementations.

   In late 2008, Jim Manico and I connected to create a specification for 
HTTPOnly -- we saw the security issues arising from how the browser vendors 
were implementing HTTPOnly in varying ways[1] due to a lack of a specification 
and formed an ad-hoc working group to tackle the issue[2].

   When I approached the IETF about forming a charter for an official working 
group, I was told that I was <quote> "wasting my time" because cookies itself 
did not have a proper specification, so it didn't make sense to work on a spec 
for HTTPOnly.  Soon after, we pursued reopening the IETF httpstate Working 
Group to tackle the entire cookie spec, not just HTTPOnly.  Eventually Adam 
Barth would become editor and Jeff Hodges our chair.

   This cleans up a well-known mess and gives us a good starting point from 
which to improve httpstate and add improved security features.

   And no, it's not lost on me that HTTPOnly still has considerable divergence 
on behavior.  Perhaps now I can finally form my HTTPOnly working group.

(Bil Corry)"


HTH,

=JeffH

Received on Thursday, 3 March 2011 22:18:30 UTC