- From: by way of Henrik Frystyk Nielsen <chris@innosoft.com>
- Date: Thu, 11 Feb 1999 19:14:14 -0500
- To: ietf-http-ng@w3.org
On Wed, 10 Feb 1999, Mike Spreitzer wrote: > OK, I've taken Chris Newman's hint and expanded a bit on security, and > also Jim Whitehead's hint to clarify the nature of the goals document. > You can view the latest draft at: > <http://www.w3.org/Protocols/HTTP-NG/1999/02/mux-Charter-210.html> What I don't find acceptable is wording akin to "security's not our problem" which is basically what this proposed charter says. Here an example of wording I would find acceptable: ---- The MEMUX WG will not design new security services. The document will describe how MEMUX interacts with existing security services (such as IPsec, TLS and SASL) and what impact it will have on higher or lower-level security services. ---- There are subtle issues which need to be dealt with: * If user authentication is done below the MEMUX layer, how will higher-level protocols "know" that? * If user authentication is done above the MEMUX layer, what damage can passive or active attacks at the MEMUX layer cause? * What impact will MEMUX have on firewalls when used to multiplex multiple services on the same port? Security most definitely is part of the problem. - Chris
Received on Thursday, 11 February 1999 19:14:16 UTC