RE: making progress on cookies
Yaron Goland (yarong@microsoft.com)
Sat, 11 Oct 1997 19:55:15 -0700
I understand the concerns regarding unsigned cookies but at the same
time I do not believe we can create restrictions that are not arbitrary.
For example, the two hierarchy level restriction. As such I believe the
best we can do is state "You want security? Use a signature."
How many systems do you know that go out of there to specify security in
situations where the user intentionally chooses not to use any security?
Yaron
> -----Original Message-----
> From: David W. Morris [SMTP:dwm@xpasc.com]
> Sent: Saturday, October 11, 1997 12:32 PM
> To: Yaron Goland
> Cc: Dave Kristol; http-state@lists.research.bell-labs.com;
> http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com;
> http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com; http-wg@cuckoo.hpl.hp.com
> Subject: RE: making progress on cookies
>
>
>
> On Fri, 10 Oct 1997, Yaron Goland wrote:
>
> > An alternative proposal is to take the signed cookie draft and
> combine
> > it with the protocol draft and put that up as the standard. That way
> we
> > don't have to argue over heuristics which prevent legitimate
> > functionality and instead use a policy based system backed up with
> > authentication.
>
> This alternative would not be a complete solution since it would drop
> the default specification for cookie privacy when the cookie presented
> was not signed.
>
> I have no problem with an alternative which includes completing work
> on the signed cookie proposal but I see that as additional
> specification
> and not replacing some form of the existing privacy specifications.
>
> Dave Morris