Re: Continuing to draft mux WG charter
From: by way of Henrik Frystyk Nielsen (chris@innosoft.com)
Date: Thu, Feb 11 1999
Message-Id: <3.0.5.32.19990211191414.02ef8bc0@localhost>
Date: Thu, 11 Feb 1999 19:14:14 -0500
To: ietf-http-ng@w3.org
From: Chris Newman <chris@innosoft.com> (by way of Henrik Frystyk Nielsen <frystyk@w3.org>)
Subject: Re: Continuing to draft mux WG charter
On Wed, 10 Feb 1999, Mike Spreitzer wrote:
> OK, I've taken Chris Newman's hint and expanded a bit on security, and
> also Jim Whitehead's hint to clarify the nature of the goals document.
> You can view the latest draft at:
> <http://www.w3.org/Protocols/HTTP-NG/1999/02/mux-Charter-210.html>
What I don't find acceptable is wording akin to "security's not our
problem" which is basically what this proposed charter says.
Here an example of wording I would find acceptable:
----
The MEMUX WG will not design new security services. The document will
describe how MEMUX interacts with existing security services (such as
IPsec, TLS and SASL) and what impact it will have on higher or
lower-level security services.
----
There are subtle issues which need to be dealt with:
* If user authentication is done below the MEMUX layer, how will
higher-level protocols "know" that?
* If user authentication is done above the MEMUX layer, what
damage can passive or active attacks at the MEMUX layer cause?
* What impact will MEMUX have on firewalls when used to multiplex
multiple services on the same port?
Security most definitely is part of the problem.
- Chris