Re: Moving forward on improving HTTP's security from Mark Nottingham on 2013-11-13 (ietf-http-wg@w3.org from October to December 2013)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 13 Nov 2013 23:56:39 +0800
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <5E7558F7-C02C-405B-A127-F1F3F16FE70D@mnot.net>

On 13 Nov 2013, at 10:04 pm, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Mark Nottingham wrote:
>> Your understanding of what happened seems like it’s different than the 
>> other people who I’ve spoken to. Regardless of that, however, we don’t 
>> need to discuss every option at physical meetings; we need to discuss 
>> them on the list. That’s what’s happening now.
> 
> As I understand your message, the discussion is over, the decision has
> been made.

No, I never said that the discussion is over. I said “there seems to be…”, “I believe,” and so forth. 

What I *do* want to avoid, however, is the back-and-forth advocacy that this sort of issue inevitably involves, and which doesn’t make any substantial contribution. Please restrict feedback to concrete technical issues regarding the matter at hand (that’s directly to the rest of the list, by the way, not Bjoern and Julian).

> That is what various news media are reporting and what is
> implied by your use of language like "revisit this decision”.

That’s an unfortunate choice of phrasing introduced by a last-minute change. My apologies.

> If your
> purpose was not to record that the subject matter has received due
> consideration on the mailing list and has now been decided and closed,
> and just meant to make a proposal, then you should clarify accordingly.

My purpose was to report what I believe to be a viable path forward, and have that confirmed on the list. I honestly believe that this is implementable and represents the best balance of concerns and preferences that have been expressed, along with the constraints we work under.

In particular, we need to specify something that the browser vendors will actually do, and that will ultimately get published as an RFC; we cannot force either. While I cannot guarantee these results, I do believe that this proposal will pass both of these tests, based upon a lot of legwork over the last two weeks.

If you have new information that might help us evaluate this, please present it. Whatever happens, we will be evaluating the path we take as we move forward.

Regards,

--
Mark Nottingham   http://www.mnot.net/

Received on Wednesday, 13 November 2013 15:57:17 UTC