W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 13 Nov 2013 23:56:39 +0800
Cc: "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <5E7558F7-C02C-405B-A127-F1F3F16FE70D@mnot.net>
To: Bjoern Hoehrmann <derhoermi@gmx.net>

On 13 Nov 2013, at 10:04 pm, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Mark Nottingham wrote:
>> Your understanding of what happened seems like itís different than the 
>> other people who Iíve spoken to. Regardless of that, however, we donít 
>> need to discuss every option at physical meetings; we need to discuss 
>> them on the list. Thatís whatís happening now.
> 
> As I understand your message, the discussion is over, the decision has
> been made.

No, I never said that the discussion is over. I said ďthere seems to beÖĒ, ďI believe,Ē and so forth. 

What I *do* want to avoid, however, is the back-and-forth advocacy that this sort of issue inevitably involves, and which doesnít make any substantial contribution. Please restrict feedback to concrete technical issues regarding the matter at hand (thatís directly to the rest of the list, by the way, not Bjoern and Julian).

> That is what various news media are reporting and what is
> implied by your use of language like "revisit this decisionĒ.

Thatís an unfortunate choice of phrasing introduced by a last-minute change. My apologies.

> If your
> purpose was not to record that the subject matter has received due
> consideration on the mailing list and has now been decided and closed,
> and just meant to make a proposal, then you should clarify accordingly.

My purpose was to report what I believe to be a viable path forward, and have that confirmed on the list. I honestly believe that this is implementable and represents the best balance of concerns and preferences that have been expressed, along with the constraints we work under.

In particular, we need to specify something that the browser vendors will actually do, and that will ultimately get published as an RFC; we cannot force either. While I cannot guarantee these results, I do believe that this proposal will pass both of these tests, based upon a lot of legwork over the last two weeks.

If you have new information that might help us evaluate this, please present it. Whatever happens, we will be evaluating the path we take as we move forward.

Regards,

--
Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 13 November 2013 15:57:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC