- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 25 Feb 2012 15:20:36 +0100
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- CC: IETF-Discussion <ietf@ietf.org>, "Roy T. Fielding" <fielding@gbiv.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Mark Nottingham <mnot@mnot.net>, Tim Bray <tbray@textuality.com>, The IESG <iesg@ietf.org>, ietf-http-wg@w3.org
On 2012-02-25 15:13, Stephen Farrell wrote: > > > On 02/25/2012 02:03 PM, Julian Reschke wrote: >> On 2012-02-25 14:46, Stephen Farrell wrote: >>> ... >>> Yeah that's a tricky one. While one might like to >>> see "one or more" in both places that might not be >>> practical. >>> >>> In the proposal above the goal is that httpbis pick one >>> or more but recognising the reality that we might not get >>> a new proposal that httpbis will accept and that folks >>> will really implement and deploy. >>> >>> So: >>> Goal = one or more >>> Reluctant recognition of reality = zero or more >>> >>> With this plan if httpbis in fact select zero new proposals >>> that would represent a failure for all concerned. The "zero >>> or more" term is absolutely not intended to provide a way to >>> just punt on the question. >>> >>> Such a failure at the point where httpbis was re-chartering >>> to work on a HTTP/2.0 selection with no better security than >>> we now have is probably better evaluated as a whole - I >>> guess the question for the IETF/IESG at that point would >>> be whether the Internet would be better with or without >>> such a beast, or better waiting a while until the security >>> thing did get fixed. >>> >>> I can imagine an argument might ensue about that;-) >>> ... >> >> If we just need a new authentication scheme, nothing stops people from >> working on that right now. > > I don't agree with you there - the perceived low probability that > something will be deployed is a real disincentive here. We have had > people wanting to do work on this and have been told there's no point > because it won't get adopted. Just checking: so you think what's needed is a normative requirement to implement the new scheme? Do you really believe that that's what holding up improvements in this area? > > I don't see how that should affect HTTP/2.0. > > Well, a number of people have noticed that current schemes > are getting long in the tooth and fixing stuff like that when > you do a major rev of a protocol is quite a reasonable thing > to do. If there's something from with the framework, let's fix the framework. That's already covered by the current charter, no? >> If the "right" way to do security needs changes in the HTTP/1.1 >> authentication framework, then we should fix/augment/tune HTTP/1.1. It's >> not going to go away anytime soon. > > Sure, I agree with that and think the plan above allows for it. My point being: this is something we already do in httpbis. What's missing is concrete bug reports. Best regards, Julian
Received on Saturday, 25 February 2012 14:21:23 UTC