Archive for the ‘History’ Category

‘HTTP State Management Mechanism’ (“cookies”) to Proposed Standard

Monday, March 7th, 2011

There’s been various fundamental issues with “HTTP cookies” for ages, e.g. technically and policy-wise (i.e. privacy). The two extant formal specifications of cookies, IETF RFCs 2109 and 2965, as well as the original informal and incomplete “Netscape cookie spec”, have not been implemented uniformly across browsers and servers. Thus how cookies are actually constructed, parsed, and used in practice has been essentially technical folklore. Anyone wanting to craft a new browser or some other application or tool that needs to consume or send cookie headers had to reverse engineer how the browsers were actually doing it as there wasn’t (until now) an accurate specification an implementer could use for reference. This has led to divergence on edge-cases for cookies within various browsers, servers, and other tools.

We’ve been working with browser, server, and web app folk in an IETF working group, “httpstate“, to rectify this, and the draft spec was recently approved for publication as an IETF RFC at the “Proposed Standard” maturity level. This spec differs from the prior specs in that it specifies how cookies are actually used on the Internet today. Anyone crafting a new client or server can implement the spec and have an interoperable implementation as a result.

This is great in that getting this finally explicitly documented will be a key underlying piece of moving “the Web“, and the wider Internet its built upon, on towards its next stage(s). Hopefully, browsers and servers can now converge their “cookie behaviors” :)

Our more detailed blog post (which includes some history) is here..

‘HTTP State Management Mechanism’ to Proposed Standard
http://www.thesecuritypractice.com/the_security_practice/2011/03/http-state-management-mechanism-to-proposed-standard.html

=JeffH sez check it out :)

Of various bits of networked computing identity history

Wednesday, December 20th, 2006

Someone had posted on the private-club IDworkshop@ list…
>
> If you were to look back on the entire evolution of digital identity
> systems to date, what would you highlight as some of the key milestone
> events?

And my small contribution to the resulting stream-of-consciousness thread was (essentially, i’ve edited it some)…

In terms of more recent developments in online identity in a computing context (as opposed to, say, a PSTN context), the invention of a notion of an “account” (aka identity/identifier) mapped to a user and/or department/org is one of the earliest building blocks. Note that this can apply to batch processing as well as time-shared processing (i had an account when i was doing my first batch jobs on a CDC3150). This is the paper that ostensibly began the notion of time-sharing..

R.W.Bemer, “How to consider a computer”, Data Control Section,
Automatic Control Magazine, 1957 Mar, 66-69
http://www.trailing-edge.com/~bobbemer/PUBS-1.HTM

http://en.wikipedia.org/wiki/Bob_Bemer

http://en.wikipedia.org/wiki/Time-sharing

http://en.wikipedia.org/wiki/Multiuser

Also note that in IBM TSO (time share option) users could send interactive messages to each other — this was my first personal experience with what we would today call an “IM” system.

Also in terms of IM, the first distributed IM system, in the sense of today’s AIM/Y!/Gizmo/Skype/etc, that I heard about was MIT’s Project Athena’s Zephyr, which was in wide use at MIT in the latter half of the 80’s.

http://en.wikipedia.org/wiki/Zephyr_%28protocol%29

http://en.wikipedia.org/wiki/Project_Athena

Then there was one of the first truly personal computers, the Xerox Alto (conceptualized in 1972), which was subsequently networked via Metcalfe & Bogg’s Ethernet, which then gave John Shoch and Jon Hupp the fertile ground in which to realize John Brunner’s SF prescient imagining of “worms” infesting computer networks…

http://en.wikipedia.org/wiki/Alto_%28computer%29

http://en.wikipedia.org/wiki/Ethernet

http://en.wikipedia.org/wiki/John_Brunner_%28novelist%29

http://vx.netlux.org/lib/ajm01.html

Note that within Xerox, especially in Palo Alto, the Alto was essentially a production machine. At PARC, by the late 70’s, everyone had one, even secretaries – there were several thousand of them built. Email (Grapevine) was used extensively for everything, including communicating with building facilities.

Birrell, A. D., Levin, R., Needham, R. M. and Schroeder, M. D.:
Grapevine: An Exercise in Distributed Computing“. Communications of the ACM, 25(4), pp. 260-273.

In terms of Kerberos, it was based on Needham & Schroeder’s work, published in 1978..

Roger M. Needham and Michael D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers”, Communications of the ACM, 21(12) p 993.

..and which was the basis of the XNS Authentication protocol, which pre-dated Kerberos.

Oh, and in terms of Public Keys, Kohnfelder’s 1978 thesis “Towards a Practical Public-Key Cryptosystem” is predicated on Diffie and Hellman’s paper of 1976 “New Directions in Cryptography” as well as R, S, & A’s famous paper.

http://en.wikipedia.org/wiki/Loren_Kohnfelder

http://en.wikipedia.org/wiki/Martin_Hellman

http://en.wikipedia.org/wiki/Whitfield_Diffie

http://theory.csail.mit.edu/~cis/theses/kohnfelder-bs.pdf

R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of th ACM, 21(2):120ñ126, February 1978.

And of course, the above only scratches the surface of this large body of work….