RE: Straw-man charter

>    * Identify mandatory-to-implement security mechanisms

There is no deadlock, or really a contradiction
"Identify mechanisms" doesn't mean that there will be
a single mechanism, and "mandatory-to-implement" doesn't
mean "mandatory in all situations".

BCP 56/RFC 3205 ("On the use of HTTP as a Substrate")
section 2.3 ("Security") seems to me like a good start
on what the security requirements for HTTP should be,
and perhaps the charter item for the working group
should be to review that section and either reference
it or update it as necessary.


Received on Thursday, 8 March 2007 19:16:07 UTC