- From: Eliot Lear <lear@cisco.com>
- Date: Fri, 20 Sep 2013 07:52:53 +0200
- To: Mark Nottingham <mnot@mnot.net>
- CC: Willy Tarreau <w@1wt.eu>, Mike Belshe <mike@belshe.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Roy T. Fielding" <fielding@gbiv.com>, IETF HTTP WG <ietf-http-wg@w3.org>
On 9/20/13 7:14 AM, Mark Nottingham wrote: > On 20/09/2013, at 3:10 PM, Willy Tarreau <w@1wt.eu> wrote: >> Then what do you think about just describing the current state without >> giving any guidance about how to protect, so that the reader informs >> himself on the subject if he feels concerned ? > > Personally - I think that'd be a big improvement over saying nothing. However, AIUI the security folks like to see a listing of both threats *and* mitigations for them. Stephen? I'm not Stephen, but that is what a security considerations section is for. The problem is twofold. We mixed it with privacy considerations, and they are somewhat different, albeit very related, and one could write several volumes on both for HTTP. Eliot
Received on Friday, 20 September 2013 05:53:27 UTC