Fwd: [http-state] WG Review: HTTP State Management Mechanism (httpstate)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: [http-state] WG Review: HTTP State Management Mechanism (httpstate)

Mark Nottingham-2
FYI.

Begin forwarded message:

> From: IESG Secretary <[hidden email]>
> Date: 25 November 2009 5:00:02 AM AEDT
> To: [hidden email]
> Cc: [hidden email]
> Subject: [http-state] WG Review: HTTP State Management Mechanism (httpstate)
> Reply-To: [hidden email]
>
> A new IETF working group has been proposed in the Applications Area.  The
> IESG has not made any determination as yet.  The following draft charter
> was submitted, and is provided for informational purposes only.  Please
> send your comments to the IESG mailing list ([hidden email]) by Tuesday,
> December 1, 2009.
>
> HTTP State Management Mechanism (httpstate)
> ---------------------------------------------------
> Current Status: Proposed Working Group
> Last modified: 2009-11-11
>
> Chair(s):
>  TBD
>
> Applications Area Director(s):
>  Lisa Dusseault <[hidden email]>
>  Alexey Melnikov <[hidden email]>
>
> Applications Area Advisor:
>  Lisa Dusseault <[hidden email]>
>
> Mailing Lists:
>  General Discussion: [hidden email]
>  To Subscribe: https://www.ietf.org/mailman/listinfo/http-state 
>  Archive: http://www.ietf.org/mail-archive/web/http-
> state/current/maillist.html
>  Alternative Archive: http://groups.google.com/group/http-state 
>
> Description of Working Group:  
>
> The HTTP State Management Mechanism (aka Cookies) was originally
> created by Netscape Communications in their informal Netscape cookie
> specification ("cookie_spec.html"), from which formal specifications
> RFC 2109 and RFC 2965 evolved.  The formal specifications, however,
> were never fully implemented in practice; RFC 2109, in addition to
> cookie_spec.html, more closely resemble real-world implementations than
> RFC 2965, even though RFC 2965 officially obsoletes the former.
> Compounding the problem are undocumented features (such as HTTPOnly),
> and varying behaviors among real-world implementations.  
>
> The working group will create a new RFC that obsoletes RFC 2109 and
> specifies Cookies as they are actually used in existing implementations
> and deployments.  Where differences exist among the most commonly used
> implementations, the working group will document the variations.  Where
> consensus exists among the most commonly used implementations, the
> working group will specify the consensus behavior.  
>
> The working group must not introduce any new syntax or new semantics
> not already in common use.  
>
> The working group's specific deliverables are:
>
> * A standards-track document that is suitable to supersede RFC 2109
> (likely based on draft-abarth-cookie)
> * An informational document cataloguing the differences between major
> implementations  In doing so, the working group should consider:  
> * cookie_spec.html - Netscape Cookie Specification  
> http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsre
> f/std/cookie_spec.html
> * RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965)    
> http://tools.ietf.org/html/rfc2109 
> * RFC 2964 - Use of HTTP State Management    
> http://tools.ietf.org/html/rfc2964 
> * RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109)    
> http://tools.ietf.org/html/rfc2965 
> * I-D - HTTP State Management Mechanism v2    
> http://tools.ietf.org/html/draft-pettersen-cookie-v2 
> * I-D - Cookie-based HTTP Authentication    
> http://tools.ietf.org/html/draft-broyer-http-cookie-auth 
> * Widely Implemented - HTTPOnly    
> http://www.owasp.org/index.php/HTTPOnly 
> * Browser Security Handbook - Cookies  
> http://code.google.com/p/browsersec/wiki/Part2#Same-
> origin_policy_for_cookies
> * HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol    
> http://arxiv.org/PS_cache/cs/pdf/0105/0105018v1.pdf 
>
> Goals and Milestones:
>
> Jan 2010 - Feature-complete Internet-Draft of Cookie specification
> Mar 2010 - Feature-complete test suite of Cookie specification
> May 2010 - First fully conforming implementation in a major browser
> Jul 2010 - Last Call for Cookie specification
> Sep 2010 - Second fully conforming implementation in a major browser
> Nov 2010 - Submit Cookie specification to IESG for consideration as
>           a Draft Standard
> Nov 2010 - Submit deviation description to IESG for consideration as
>           Informational
> _______________________________________________
> http-state mailing list
> [hidden email]
> https://www.ietf.org/mailman/listinfo/http-state


--
Mark Nottingham     http://www.mnot.net/