- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Thu, 30 Aug 2007 01:55:38 +0200
- To: Alexey Melnikov <alexey.melnikov@isode.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <1188431738.28577.76.camel@henriknordstrom.net>
On lör, 2007-08-11 at 17:30 +0100, Alexey Melnikov wrote: > Please chose one of the following answers: > > 1). No > 2). Yes, only add RFC 2818bis to the charter > 3). Yes, only add RFC 2817bis to the charter > 4). Yes, add both RFC 2817bis and RFC 2818bis to the charter > 5). Maybe (this includes "yes, but when the WG completes the currently > proposed milestones" and "yes, but this should be done in another WG") > 6). I have another opinion, which is .... 5. Not convinced they need a revision. But I also have not studied them in full detail. From a quick reading they do seem to contain a bit too much details and should be cut down, for example referencing the HTTP/1.1 message delimiting rules instead of miserably trying to mirror it again.. I consider it within the charter to consider if a reference to add a reference to these from the HTTP/1.1 security considerations section reasonable, and probably desireable. It's also worth noting that I don't see it likely that RFC2817 will ever get any momentum given how wide spread HTTP over TLS is combined with the lack of capability negotiation in HTTP and it's resulting security issues of having to first send the request in plain in order to discover the TLS capability of the server. This is quite different from the other IETF protocols having "TLS upgrade" capabilities.. (i.e. IMAP, SMTP, POP, etc.. all negotiate the TLS upgrade before the acutal request exchange, as part of the normal negotiation phase of respective protocol) I do concider it fully in scope to incorporate the definition of CONNECT into HTTP/1.1. Regards Henrik
Received on Wednesday, 29 August 2007 23:55:56 UTC