Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 22.02.2012 11:46, Tim Bray wrote:
> [in-line]
>
> On Tue, Feb 21, 2012 at 2:40 PM, Mark Nottingham wrote:
>>> And then should it include adding some new options
>>> or MTI auth schemes as part of HTTP/2.0 or even looking
>>> at that? (I think it ought to include trying for that
>>> personally, even if there is a higher-than-usual risk
>>> of failure.)
>>
>>
>> Based on past experience, I think the risk is very high, and we 
>> don't need to pile any more risk onto this particular project.
>
> +1
>
> HTTP's ability to be equipped with security technology has been
> adequate, and I haven't heard much argument that its semantics were
> the big obstacle to newer/better security.  Preserving its semantics
> means its successor should be equally adequate.
>
> Mnot is *understating* the risk of loading up the charter with this 
> stuff. -T


+1.

I think the new security additions should be limited to making it clear 
and ensuring that HTTP as a transport neither adds nor substracts 
security to the overall system.
  HTTP over TLS or such has connection-level security/authentication as 
inherited from that TLS.
  HTTP message authentication or such has per-message security for the 
particular message.

We may have to consider new features or restrictions to ensure that TLS 
level security is retained end-to-end or such. But fixing problems in 
those other layers in a charter to re-design the middle HTTP layer seems 
inappropriate.

AYJ

Received on Tuesday, 21 February 2012 23:29:28 UTC