RE: Last Call: Applicability Statement for HTTP State Management to BCP

> It is my understanding that a lack of consensus on the security
> considerations (in this case a lack of consensus on how much privacy is
> needed by default) implies a lack of consensus on the whole specification.

Koen, a careful reading of RFC 2026 notes that "consensus" is not
interpreted as "without disagreement", and that it outlines the
nature of the types of disagreements that might hold within a working
group. Although the specified default for cookie privacy was
in dispute in the working group, it was my judgement that the objections
were neither that

> (a) his or her own views have not been adequately considered
>   by the Working Group,

since the views on the default privacy behavior were considered
at length, and

> (b) the Working Group has made an incorrect technical choice
>   which places the quality and/or integrity of the Working Group's 
>   product(s) in significant jeopardy. 

since the disagreement was not about quality or integrity, but
rather about privacy policy and commercial viability, in an
advertising-dominated Internet, of the specified default behavior. 

Anyone who is not satisfied with the resolution of this dispute
can follow the dispute reoslution procedures outlined in RFC 2026,
but I maintain that, as far as the IETF process is concerned, the
working group reached "consensus" (albeit rough) on the entire

Larry Masinter
(as HTTP working group chair)

Received on Friday, 16 July 1999 16:52:32 UTC