W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Chris Newman <Chris.Newman@Sun.COM>
Date: Wed, 06 Jun 2007 15:42:54 -0700
To: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Cc: Apps Discuss <discuss@apps.ietf.org>
Message-id: <6AE049B9045C00064222693F@[10.1.110.5]>

Here's my take as AD on some of the interesting topics in this thread:

1. HTTP Digest Authentication

The SASL WG appears to have decided that SASL DIGEST-MD5 is not a useful 
authentication mechanism for a number of technical reasons.  I would be 
uncomfortable having a WG spend a lot of time refining the existing HTTP Digest 
mechanism based on that experience.  However, documenting the i18n behavior of 
deployed implementations sounds like a sensible thing to do.

2. HTTP Security

Phishing demonstrates that HTTP's present security mechanisms are not adequate 
to meet some important requirements of the present users of the protocol.  I 
would be uncomfortable moving HTTP from Draft Standard to Standard given this 
situation.  It's likely that new work on HTTP security mechanisms (as outlined 
by draft-hartman-webauth-phishing) is necessary.  However, even with the 
present security situation, I have no doubt that RFC 2616 is widely useful and 
improving the technical clarity of the base specification is good work that 
would benefit the Internet community.  The minimum work necessary to make a 
draft standard revision of the base specification complete would be to clearly 
document the limitations of the presently deployed HTTP security mechanisms and 
the fact they are not adequate for all situations.  Beyond that I consider it 
inappropriate to hold publication of a useful revision hostage to new security 
engineering work.  That opinion may not be shared by others on the IESG. 
Regardless, I would very much like to see forward progress on the HTTP security 
situation.

3. One vs. Two WGs

I would support the formation of two separate WGs: HTTP and HTTP security as 
the people who have appropriate expertise for those efforts are not identical. 
Indeed I'd be uncomfortable with a single WG that was both revising 2616 and 
designing new HTTP security mechanisms as the latter may be helped by the 
attention of security experts that likely have no interest in the former.

4. Specification Rewrite

Because the IETF process gives quite a bit of control to the document editor 
and design teams, our process allows an alternate editor to produce a competing 
specification and ask for a WG consensus call to adopt that competing 
specification.  This is discussed in the following IESG Note:
   <http://www.ietf.org/IESG/STATEMENTS/Design-Teams.txt>
>From discussions here, I suspect it's unlikely an alternate specification would 
be adopted by the WG in this case, especially because it might drop the target 
status from draft to proposed for the reasons Keith mentioned.  However, this 
is an important mechanism the keep the process open.

                - Chris Newman
                Applications Area Director
Received on Wednesday, 6 June 2007 22:43:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT