- From: Lisa Dusseault <lisa@osafoundation.org>
- Date: Thu, 7 Jun 2007 16:16:20 -0700
- To: Paul Leach <paulle@windows.microsoft.com>
- Cc: Justin Erenkrantz <justin@erenkrantz.com>, Paul Hoffman <phoffman@imc.org>, Keith Moore <moore@cs.utk.edu>, Apps Discuss <discuss@apps.ietf.org>, <ietf-http-wg@w3.org>
On Jun 7, 2007, at 11:03 AM, Paul Leach wrote:
>
> For a long time, the IESG has required that all new protocols have a
> "security considerations" section. I have not heard that that has
> changed to a more stringent mandate.
There's a little more, mostly in RFC3552, e.g. "Unprotected (plaintext)
username/password systems are not acceptable in IETF standards."
> For many protocols, including HTTP,
> that section would have to show that they are securable. However, in
> addition, IMO it is obvious that for HTTP, that section also says that
> anonymous clients and unauthenticated servers are OK in many
> circumstances, and here are the mechanisms that can be used when it
> isn't OK.
+1
Lisa
Received on Thursday, 7 June 2007 23:16:31 UTC