- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 11 Dec 2006 16:46:22 +0000
- To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: W3 Work Group <public-wsc-wg@w3.org>
Mary Ellen Zurko wrote: > > > 1. Whatever new mechanisms we recommend/derive/whatever, we need > > to think about how they work if HTTP is not the substrate protocol. > > I'm not sure we have to. It may be that HTTP(S) is our goal, and while > scope will include non-HTTP, what we have to do is make sure we cover > HTTP. We may then generalize to non-HTTP as much as we can, I think we're basically in agreement, however I'll quibble with that last phrase anyway:-) I think "as much as we can" isn't quite right - I suspect we ought pay attention to non-HTTP protocols that are commonly supported by the mostly-HTTP-consuming user agents that are our main focus, which is a little weaker than "as much as we can." The reason being that (IMO) the user often won't know whether or not they're running over HTTP, so ignoring the possibility of having the UA (ab)use FTP or SMTP (in weird SOAP cases) seems to me to be a bad idea. So, I'm not arguing that we consider security context for a generic FTP server or FTP client, but more like for how FTP can be (ab)used in the context of a user who's primarily using an HTTP user agent. Maybe we can craft the protocol scoping text to be something like the union of HTTP and whatever else popular UAs tend to support that can affect the HTTP security context. Stephen.
Received on Monday, 11 December 2006 16:45:51 UTC