- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 22 Feb 2012 12:29:02 +1300
- To: <ietf-http-wg@w3.org>
On 22.02.2012 11:46, Tim Bray wrote: > [in-line] > > On Tue, Feb 21, 2012 at 2:40 PM, Mark Nottingham wrote: >>> And then should it include adding some new options >>> or MTI auth schemes as part of HTTP/2.0 or even looking >>> at that? (I think it ought to include trying for that >>> personally, even if there is a higher-than-usual risk >>> of failure.) >> >> >> Based on past experience, I think the risk is very high, and we >> don't need to pile any more risk onto this particular project. > > +1 > > HTTP's ability to be equipped with security technology has been > adequate, and I haven't heard much argument that its semantics were > the big obstacle to newer/better security. Preserving its semantics > means its successor should be equally adequate. > > Mnot is *understating* the risk of loading up the charter with this > stuff. -T +1. I think the new security additions should be limited to making it clear and ensuring that HTTP as a transport neither adds nor substracts security to the overall system. HTTP over TLS or such has connection-level security/authentication as inherited from that TLS. HTTP message authentication or such has per-message security for the particular message. We may have to consider new features or restrictions to ensure that TLS level security is retained end-to-end or such. But fixing problems in those other layers in a charter to re-design the middle HTTP layer seems inappropriate. AYJ
Received on Tuesday, 21 February 2012 23:29:28 UTC