- From: Travis Snoozy <ai2097@users.sourceforge.net>
- Date: Wed, 17 Jan 2007 11:22:29 -0800
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Received on Wednesday, 17 January 2007 19:22:32 UTC
On Wed, Jan 17, 2007 at 07:57:47PM +0100, Henrik Nordstrom wrote: > Specs does not say recipients MUST reject any malformed message. It > doesn't even require recipients to detect malformed messages and the > robustness principle underlining most use of IETF protocols generally > discourages it. And everything else in software development speaks > against such rejections unless they happen "as a by product" of the > development. No, the principles of secure development say "fail closed." If I don't understand it, it gets chucked in the bin. Now, the "I don't understand it" bit kills extensibility, but that's part and parcel to security -- you punch holes as you need them. The spec needs to be extensible, and there's a balance to be struck between what's secure and what's utilitarian. However, being _blatently_ malformed (e.g., two of any field that's not a #list) is always grounds for immediate rejection. Fuzzy repair work, in this case, is a Very Bad Thing. -- Travis
Received on Wednesday, 17 January 2007 19:22:32 UTC