- From: Brian E Carpenter <brian@hursley.ibm.com>
- Date: Fri, 12 Feb 1999 09:56:09 +0000
- To: Chris Newman <chris@innosoft.com>
- CC: Mike Spreitzer <spreitze@parc.xerox.com>, ietf-http-ng@w3.org, discuss@apps.ietf.org
I agree with Chris re security, but I have another concern or possibly a confusion. The draft is written very aggressively to assume TCP as the substrate; IMHO this is wrong. If a new transport protocol of the general flavour of T/TCP emerges, MEMUX must be able to use it. Another thing I would like to see is a clear goal of being independent of IPv4 v IPv6, and able to function in a dynamic address environment such as NAT. In fact this is key to success. Brian Chris Newman wrote: > > On Wed, 10 Feb 1999, Mike Spreitzer wrote: > > OK, I've taken Chris Newman's hint and expanded a bit on security, and > > also Jim Whitehead's hint to clarify the nature of the goals document. > > You can view the latest draft at: > > <http://www.w3.org/Protocols/HTTP-NG/1999/02/mux-Charter-210.html> > > What I don't find acceptable is wording akin to "security's not our > problem" which is basically what this proposed charter says. > > Here an example of wording I would find acceptable: > > ---- > The MEMUX WG will not design new security services. The document will > describe how MEMUX interacts with existing security services (such as > IPsec, TLS and SASL) and what impact it will have on higher or > lower-level security services. > ---- > > There are subtle issues which need to be dealt with: > > * If user authentication is done below the MEMUX layer, how will > higher-level protocols "know" that? > * If user authentication is done above the MEMUX layer, what > damage can passive or active attacks at the MEMUX layer cause? > * What impact will MEMUX have on firewalls when used to multiplex > multiple services on the same port? > > Security most definitely is part of the problem. > > - Chris
Received on Friday, 12 February 1999 04:58:59 UTC