W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Keith Moore <moore@cs.utk.edu>
Date: Thu, 07 Jun 2007 18:23:26 -0400
Message-ID: <4668855E.7080409@cs.utk.edu>
To: Paul Leach <paulle@windows.microsoft.com>
CC: Justin Erenkrantz <justin@erenkrantz.com>, Paul Hoffman <phoffman@imc.org>, Apps Discuss <discuss@apps.ietf.org>, ietf-http-wg@w3.org

1. "A Proposed Standard should have no known technical omissions with
respect to the requirements placed upon it."

2. Draft and full Standard documents must also meet the requirements for
Proposed Standard.

3. "Security" is generally accepted as a requirement for all Internet
standards-track protocols, but this is rather vague as the meaning of
"security" varies from one protocol and use case to another.  In the
case of HTTP there is clearly a need for clients to be able to
authenticate to servers, servers to be authenticate to clients, and for
there to be a means to assure the secrecy of data passed between servers
and clients.

> For a long time, the IESG has required that all new protocols have a
> "security considerations" section. I have not heard that that has
> changed to a more stringent mandate. For many protocols, including
> HTTP, that section would have to show that they are securable.
> However, in addition, IMO it is obvious that for HTTP, that section
> also says that anonymous clients and unauthenticated servers are OK
> in many circumstances, and here are the mechanisms that can be used
> when it isn't OK.
Received on Thursday, 7 June 2007 22:24:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:42 UTC