- From: Robert Sayre <sayrer@gmail.com>
- Date: Fri, 20 Oct 2006 03:50:45 -0400
- To: "Larry Masinter" <masinter@gmail.com>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
On 10/19/06, Larry Masinter <masinter@gmail.com> wrote: > > I would think that mandatory-to-implement security requirements > might depend on the application, That doesn't make any sense to me. > I wonder if the start of this discussion was > in response to "IESG response to the appeal by Robert Sayre" > No, that's the last data point. > http://www1.ietf.org/mail-archive/web/ietf-announce/current/msg03034.html > > My understanding of BCPs and policies in general is that > they leave room for judgment. > I agree. But the response is "this is the policy" when there are very real practical problems with the policy. There needs to be a technical discussion. Actually, it has happened, and the MTI people don't have a leg to stand on, absent a pie-in-the-sky universal HTTP security mechanism. So far, I have found a disturbing tendency to lean on the documents. My first attempt was to point out that the documents don't actually support "the policy". Evidently, it is OK for IETF management to cite normative folklore and then add clauses to whatever documents are in front of them at the time to deal with an appeal. That's cool with me--I will get consensus and rewrite the policy so there is no arguing. I think anyone entertaining an HTTP revision is a fool to do so without a clear statement on security requirements. The last upgrade HTTP security received was SSL, courtesy of Netscape Communications. -- Robert Sayre
Received on Friday, 20 October 2006 07:50:59 UTC