#549 augment security considerations from Julian Reschke on 2014-01-13 (ietf-http-wg@w3.org from January to March 2014)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 13 Jan 2014 20:35:08 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <52D43FEC.3070202@gmx.de>

<http://trac.tools.ietf.org/wg/httpbis/trac/ticket/549>:

Stephen F. came up with the DISCUSS below during IESG review:

> Discuss (2013-12-19)
>
> There was originally supposed to be a separate deliverable to describe the security properties of HTTP, but that's not happening. I think its fair to say that the security considerations here (or across the entire set) don't really do all of that as well. I think that does leave a gap. However, I'm not sure what to do about that, since I don't believe there's any real chance of getting anyone to address this gap - its been tried and apparently failed, and with lots of security work in HTTP/2.0, its extremely unlikely that a victim will be found for this un-fun task.
>
> That said, I do think it'd be worthwhile if the authors made an attempt to fill that gap by spending some cycles on finding a good set of references to HTTP security topics and adding those to the security considerations sections of p1 and/or p2.
>
> Now, I'm sure that the authors won't want to do that (who ever wants to do a state-of-the-art study? even a tiny one like this) so the point I want to DISCUSS with the IESG initially and then with the chair and authors is whether or not that's a reasonable ask. (So, authors, no need to chime in just yet.)

We discussed this somewhat more, and it appears there is no energy to 
write additional security considerations, nor to spend a lot of time 
reviewing existing research in the hope of finding something we could 
reference.

Two ideas came up:

1) Citing http://tools.ietf.org/html/rfc6819, and

2) Point people to sites that publish security research.

WRT 1) I'm not too enthusiastic citing anything OAuth related from the 
HTTP spec.

WRT 2), I'd propose to add a single sentence to the end of the 
introduction of *each* Security Considerations appendix, such as:

"Note that the list of considerations below is not exhaustive --
security analysis in an ongoing activity. Various organizations, such as
the Open Web Application Security Project (OWASP,
<https://www.owasp.org/>), provide information about current research."

Feedback appreciated,

Julian

Received on Monday, 13 January 2014 19:35:39 UTC