W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Thu, 7 Jun 2007 16:16:20 -0700
Message-Id: <C5276AF9-AFA6-4728-8928-B76C89DBF422@osafoundation.org>
Cc: Justin Erenkrantz <justin@erenkrantz.com>, Paul Hoffman <phoffman@imc.org>, Keith Moore <moore@cs.utk.edu>, Apps Discuss <discuss@apps.ietf.org>, <ietf-http-wg@w3.org>
To: Paul Leach <paulle@windows.microsoft.com> 


On Jun 7, 2007, at 11:03 AM, Paul Leach wrote:

>
> For a long time, the IESG has required that all new protocols have a
> "security considerations" section. I have not heard that that has
> changed to a more stringent mandate.

There's a little more, mostly in RFC3552, e.g. "Unprotected (plaintext)
    username/password systems are not acceptable in IETF standards."

> For many protocols, including HTTP,
> that section would have to show that they are securable. However, in
> addition, IMO it is obvious that for HTTP, that section also says that
> anonymous clients and unauthenticated servers are OK in many
> circumstances, and here are the mechanisms that can be used when it
> isn't OK.

+1


Lisa
Received on Thursday, 7 June 2007 23:16:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT