Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

On 10/19/06, Larry Masinter <> wrote:
> I would think that mandatory-to-implement security requirements
> might depend on the application,

That doesn't make any sense to me.

> I wonder if the start of this discussion was
> in response to "IESG response to the appeal by Robert Sayre"

No, that's the last data point.

> My understanding of BCPs and policies in general is that
> they leave room for judgment.

I agree. But the response is "this is the policy" when there are very
real practical problems with the policy. There needs to be a technical
discussion. Actually, it has happened, and the MTI people don't have a
leg to stand on, absent a pie-in-the-sky universal HTTP security

So far, I have found a disturbing tendency to lean on the documents.
My first attempt was to point out that the documents don't actually
support "the policy". Evidently, it is OK for IETF management to cite
normative folklore and then add clauses to whatever documents are in
front of them at the time to deal with an appeal. That's cool with
me--I will get consensus and rewrite the policy so there is no

I think anyone entertaining an HTTP revision is a fool to do so
without a clear statement on security requirements. The last upgrade
HTTP security received was SSL, courtesy of Netscape Communications.


Robert Sayre

Received on Friday, 20 October 2006 07:50:59 UTC