- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Sat, 24 Feb 1996 00:05:05 PST
- To: khare@w3.org
- Cc: fielding@avron.ICS.UCI.EDU, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> Because, not to offend anyone's intelligence, application-layer security != > channel-layer, and I'd hope that HTTP security would be done *within* HTTP > rather than in some security protocol that looks like pseudo-HTTP. That way, > it will track the evolution of HTTP itself. For example, try sending a > chunked-transfer-encoding stream through SHTTP: it can't, it would have to be > buffered up, since SHTTP doesn't track new 1.1 encodings. Security outside > HTTP cannot react as directly to new authentication schemes, interoperation > with noninvolved proxies, etc. The WTS group is scheduled to discuss the SHTTP proposal at the march meeting, prior to sending it on to IESG for "last call". As far as I have seen, there has been no discussion of this point of view on the WTS mailing list. Since this is the entire agenda for WTS, that is, there is a separate working group constituted by the IESG to deal with web security issues, it makes no sense for us to continue to discuss these issues here, especially when they have not been discussed THERE. Theoretical arguments about protocol extensibility hold no weight against long-standing implementation experience. I propose that we not take up "WRAPPED" again until *after* the discussion at the WTS working group on WRAPPED vs. SHTTP. Fortunately, HTTP meets on Tuesday and Thursday, and WTS meets on Wednesday, so it is possible to revisit WRAPPED in HTTP on Thursday if there's something to report from the WTS discussion.
Received on Saturday, 24 February 1996 00:14:43 UTC