the state of State

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Ted Hardie: "(Fwd) web-priv list set up"
• Previous message: Dave Kristol: "Re: Customizing the authentication dialog"

At the IETF meeting I promised to send out a summary of where things
stand and where things ought to go to nail down a revised HTTP State
Management.  This is it.

Please keep the discussion on http-state@lists.research.bell-labs.com.
(See <http://www.bell-labs.com/mailing-lists/http-state/>.)  I'm sending
this message to http-wg only as a courtesy.

Step 1:  Nail down the "wire protocol".

	At the IETF meeting I believe we narrowed down the outstanding
	issue(s) to the domain-matching rules.  There are two
	sub-problems:  a) flat namespaces in intranets; and b) using
	the n-dot rule to restrict the set of servers to which a cookie
	can be returned.

	I believe we actually resolved the flat namespace problem.  The
	resolution is that, if the Domain attribute is omitted in
	Set-Cookie2, the client is restricted to return the cookie only
	to the server from which it came.  That rule applies regardless
	of the name (and how many dots it contains).

	That leaves the domain-matching restriction rules to address.

Step 2:  reach consensus on the "privacy rules"

	Attendees thought they could arrive at an agreement about the
	interaction of the (previous) privacy rules and the user
	interface.

	The rules for unverifiable transactions, or at least the
	default user agent setting for them, remain contentious.


For now I would like to restrict the discussion "agenda bashing" for
Step 1 only.  Does anyone believe there are other outstanding issues?

Dave Kristol

• Next message: Ted Hardie: "(Fwd) web-priv list set up"
• Previous message: Dave Kristol: "Re: Customizing the authentication dialog"