RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8) from Larry Masinter on 2006-10-19 (ietf-http-wg@w3.org from October to December 2006)

From: Larry Masinter <masinter@gmail.com>
Date: Thu, 19 Oct 2006 21:45:07 +0000
To: "'HTTP Working Group'" <ietf-http-wg@w3.org>
Message-ID: <000301c6f3c7$c99f2750$6eb7102a@adobenet.global.adobe.com>

I think if we're talking about mandatory-to-implement
security mechanisms, there actually seems to be some
activity on the topic at 

      http://www.w3.org/2006/WSC/

"Web Security Context Working Group

 From our charter: The mission of the Web Security Context
 Working Group is to specify a baseline set of security
 context information that should be accessible to Web users, 
 and practices for the secure and usable presentation of this 
 information, to enable users to come to a better understanding 
 of the context that they are operating in when making trust 
 decisions on the Web."

I would think that mandatory-to-implement security requirements
might depend on the application, and that there might be
a "mandatory-to-implement" policy for "web browsing"
that might not be "mandatory-to-implement" for all
applications of HTTP.

I wonder if the start of this discussion was
in response to "IESG response to the appeal by Robert Sayre"

http://www1.ietf.org/mail-archive/web/ietf-announce/current/msg03034.html

My understanding of BCPs and policies in general is that
they leave room for judgment.

In any case, appeals to IESG decisions should be made to
the IAB.

Larry

Received on Friday, 20 October 2006 06:58:41 UTC