Re: Continuing to draft mux WG charter

From: by way of Henrik Frystyk Nielsen (chris@innosoft.com)
Date: Thu, Feb 11 1999


Message-Id: <3.0.5.32.19990211191414.02ef8bc0@localhost>
Date: Thu, 11 Feb 1999 19:14:14 -0500
To: ietf-http-ng@w3.org
From: Chris Newman <chris@innosoft.com> (by way of Henrik Frystyk Nielsen <frystyk@w3.org>)
Subject: Re: Continuing to draft mux WG charter

On Wed, 10 Feb 1999, Mike Spreitzer wrote:
> OK, I've taken Chris Newman's hint and expanded a bit on security, and
> also Jim Whitehead's hint to clarify the nature of the goals document. 
> You can view the latest draft at:
> <http://www.w3.org/Protocols/HTTP-NG/1999/02/mux-Charter-210.html>

What I don't find acceptable is wording akin to "security's not our
problem" which is basically what this proposed charter says.

Here an example of wording I would find acceptable:

----
   The MEMUX WG will not design new security services.  The document will
   describe how MEMUX interacts with existing security services (such as
   IPsec, TLS and SASL) and what impact it will have on higher or
   lower-level security services.
----

There are subtle issues which need to be dealt with:

* If user authentication is done below the MEMUX layer, how will
  higher-level protocols "know" that?
* If user authentication is done above the MEMUX layer, what
  damage can passive or active attacks at the MEMUX layer cause?
* What impact will MEMUX have on firewalls when used to multiplex
  multiple services on the same port?

Security most definitely is part of the problem.

		- Chris