W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Robert Sayre <sayrer@gmail.com>
Date: Fri, 20 Oct 2006 03:50:45 -0400
Message-ID: <68fba5c50610200050m34296ff0u3d2327fb04c5ae2e@mail.gmail.com>
To: "Larry Masinter" <masinter@gmail.com>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>

On 10/19/06, Larry Masinter <masinter@gmail.com> wrote:
>
> I would think that mandatory-to-implement security requirements
> might depend on the application,

That doesn't make any sense to me.

> I wonder if the start of this discussion was
> in response to "IESG response to the appeal by Robert Sayre"
>

No, that's the last data point.

> http://www1.ietf.org/mail-archive/web/ietf-announce/current/msg03034.html
>
> My understanding of BCPs and policies in general is that
> they leave room for judgment.
>

I agree. But the response is "this is the policy" when there are very
real practical problems with the policy. There needs to be a technical
discussion. Actually, it has happened, and the MTI people don't have a
leg to stand on, absent a pie-in-the-sky universal HTTP security
mechanism.

So far, I have found a disturbing tendency to lean on the documents.
My first attempt was to point out that the documents don't actually
support "the policy". Evidently, it is OK for IETF management to cite
normative folklore and then add clauses to whatever documents are in
front of them at the time to deal with an appeal. That's cool with
me--I will get consensus and rewrite the policy so there is no
arguing.

I think anyone entertaining an HTTP revision is a fool to do so
without a clear statement on security requirements. The last upgrade
HTTP security received was SSL, courtesy of Netscape Communications.

-- 

Robert Sayre
Received on Friday, 20 October 2006 07:50:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT