- From: Larry Masinter <LMM@acm.org>
- Date: Thu, 8 Mar 2007 11:15:39 -0800
- To: "'Mark Nottingham'" <mnot@mnot.net>, "'Julian Reschke'" <julian.reschke@gmx.de>
- Cc: "'Robert Sayre'" <sayrer@gmail.com>, "'Lisa Dusseault'" <lisa@osafoundation.org>, <ietf-http-wg@w3.org>
> * Identify mandatory-to-implement security mechanisms
There is no deadlock, or really a contradiction
"Identify mechanisms" doesn't mean that there will be
a single mechanism, and "mandatory-to-implement" doesn't
mean "mandatory in all situations".
BCP 56/RFC 3205 ("On the use of HTTP as a Substrate")
section 2.3 ("Security") seems to me like a good start
on what the security requirements for HTTP should be,
and perhaps the charter item for the working group
should be to review that section and either reference
it or update it as necessary.
Larry
Received on Thursday, 8 March 2007 19:16:07 UTC