- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Thu, 7 Jun 2007 11:03:59 -0700
- To: Justin Erenkrantz <justin@erenkrantz.com>, Paul Hoffman <phoffman@imc.org>
- CC: Keith Moore <moore@cs.utk.edu>, Apps Discuss <discuss@apps.ietf.org>, <ietf-http-wg@w3.org>
For a long time, the IESG has required that all new protocols have a "security considerations" section. I have not heard that that has changed to a more stringent mandate. For many protocols, including HTTP, that section would have to show that they are securable. However, in addition, IMO it is obvious that for HTTP, that section also says that anonymous clients and unauthenticated servers are OK in many circumstances, and here are the mechanisms that can be used when it isn't OK. -----Original Message----- From: Justin Erenkrantz Sent: Thursday, June 07, 2007 1:57 PM <snip> Furthermore, my understanding is that IESG now requires all new protocols to always be secure.
Received on Thursday, 7 June 2007 18:04:28 UTC