W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997


From: Jim Gettys <jg@pa.dec.com>
Date: Thu, 20 Nov 1997 17:13:42 -0800
Message-Id: <9711210113.AA11863@pachyderm.pa.dec.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4782

I've received mail from both Ari and Josh this evening; it looks like they 
are not going to be able to get an updated version of 306 done (particularly 
since 306 (set proxy) depended on the elaborated OPTIONS spec, we've been 
unable to converge on).

I'm going to remove the changes made in draft 08 (rev-00) for
this issue, though I think I'll add a few words around limiting
305 to origin servers, for a single request. (to deal with the
fundamental security issue 305 raises).  Right now, anyone working
to the last draft silly enough to try to implement it would be doing
more harm than good, so I don't want to leave the rev 00 wording
in Rev 01...

Having said that:

I believe the set proxy functionality is REALLY badly needed for operational 
and web evolution reasons, in my personal opinion.  The sooner the better.

But Set Proxy needs to be done right, because the potential for spoofing 
attacks is very large, and the design work better not be hurried.

Unless/until an updated proposal 306 (set proxy) gets made (and soon) to 
the working group, I'm extremely pessimistic about 306 (set proxy) making 
draft standard of HTTP/1.1.

Even then, one might argue that set proxy is new functionality, and I don't 
want this to hang up getting HTTP/1.1 to draft standard.  So my opinion 
is at this date to undock the set proxy functionality into a separate document. 

We cannot introduce new functionality between proposed standard and draft 
standard, only fix problems found in the proposed standard; as usual IETF 
leaves this to the judgement call of the editor, working group chair, and 
area directors, and ultimately IESG; there is wiggle room, but not infinite 
amounts. In many ways, I'd be happier if the Set Proxy were an independent 
document, particularly at this date.

I suggest more serious thought be made to how to resolve this outside of 
the base HTTP/1.1 specification, sad though that may be, and that we undock 
set proxy.  If people get cracking, such a document could go to proposed
standard, as HTTP/1.1 goes to draft, without risking hanging up HTTP/1.1
going to draft...

			Your editor,

				- Jim Gettys
Received on Thursday, 20 November 1997 17:18:52 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC