- From: Keith Moore <moore@cs.utk.edu>
- Date: Thu, 07 Jun 2007 18:23:26 -0400
- To: Paul Leach <paulle@windows.microsoft.com>
- CC: Justin Erenkrantz <justin@erenkrantz.com>, Paul Hoffman <phoffman@imc.org>, Apps Discuss <discuss@apps.ietf.org>, ietf-http-wg@w3.org
1. "A Proposed Standard should have no known technical omissions with respect to the requirements placed upon it." 2. Draft and full Standard documents must also meet the requirements for Proposed Standard. 3. "Security" is generally accepted as a requirement for all Internet standards-track protocols, but this is rather vague as the meaning of "security" varies from one protocol and use case to another. In the case of HTTP there is clearly a need for clients to be able to authenticate to servers, servers to be authenticate to clients, and for there to be a means to assure the secrecy of data passed between servers and clients. > For a long time, the IESG has required that all new protocols have a > "security considerations" section. I have not heard that that has > changed to a more stringent mandate. For many protocols, including > HTTP, that section would have to show that they are securable. > However, in addition, IMO it is obvious that for HTTP, that section > also says that anonymous clients and unauthenticated servers are OK > in many circumstances, and here are the mechanisms that can be used > when it isn't OK.
Received on Thursday, 7 June 2007 22:24:32 UTC