W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 22 Feb 2012 12:29:02 +1300
To: <ietf-http-wg@w3.org>
Message-ID: <4f35d0b99d4b7b034450c8a360855308@treenet.co.nz>
On 22.02.2012 11:46, Tim Bray wrote:
> [in-line]
>
> On Tue, Feb 21, 2012 at 2:40 PM, Mark Nottingham wrote:
>>> And then should it include adding some new options
>>> or MTI auth schemes as part of HTTP/2.0 or even looking
>>> at that? (I think it ought to include trying for that
>>> personally, even if there is a higher-than-usual risk
>>> of failure.)
>>
>>
>> Based on past experience, I think the risk is very high, and we 
>> don't need to pile any more risk onto this particular project.
>
> +1
>
> HTTP's ability to be equipped with security technology has been
> adequate, and I haven't heard much argument that its semantics were
> the big obstacle to newer/better security.  Preserving its semantics
> means its successor should be equally adequate.
>
> Mnot is *understating* the risk of loading up the charter with this 
> stuff. -T


+1.

I think the new security additions should be limited to making it clear 
and ensuring that HTTP as a transport neither adds nor substracts 
security to the overall system.
  HTTP over TLS or such has connection-level security/authentication as 
inherited from that TLS.
  HTTP message authentication or such has per-message security for the 
particular message.

We may have to consider new features or restrictions to ensure that TLS 
level security is retained end-to-end or such. But fixing problems in 
those other layers in a charter to re-design the middle HTTP layer seems 
inappropriate.

AYJ
Received on Tuesday, 21 February 2012 23:29:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT