IETF Logo Mail Archive

Re: Straw-man charter for http-bis

Chris Newman <Chris.Newman@Sun.COM> Wed, 06 June 2007 22:43 UTC

Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hw4DV-0001tX-Li; Wed, 06 Jun 2007 18:43:01 -0400
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1Hw4DU-0001tR-48 for discuss-confirm+ok@megatron.ietf.org; Wed, 06 Jun 2007 18:43:00 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hw4DT-0001tG-Qh for discuss@apps.ietf.org; Wed, 06 Jun 2007 18:42:59 -0400
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hw4DT-0005gR-00 for discuss@apps.ietf.org; Wed, 06 Jun 2007 18:42:59 -0400
Received: from fe-amer-01.sun.com ([192.18.108.175]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l56MgwZ9025296 for <discuss@apps.ietf.org>; Wed, 6 Jun 2007 22:42:58 GMT
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) id <0JJ800L01JYKWN00@mail-amer.sun.com> (original mail from Chris.Newman@Sun.COM) for discuss@apps.ietf.org; Wed, 06 Jun 2007 16:42:58 -0600 (MDT)
Received: from [10.1.110.5] by mail-amer.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPSA id <0JJ800DJEKFHG940@mail-amer.sun.com>; Wed, 06 Jun 2007 16:42:58 -0600 (MDT)
Date: Wed, 06 Jun 2007 15:42:54 -0700
From: Chris Newman <Chris.Newman@Sun.COM>
Subject: Re: Straw-man charter for http-bis
In-reply-to: <392C98BA-E7B8-44ED-964B-82FC48162924@mnot.net>
To: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-id: <6AE049B9045C00064222693F@[10.1.110.5]>
MIME-version: 1.0
X-Mailer: Mulberry/3.1.6 (Mac OS X)
Content-type: text/plain; format=flowed; charset=us-ascii
Content-transfer-encoding: 7BIT
Content-disposition: inline
References: <BA772834-227A-4C1B-9534-070C50DF05B3@mnot.net> <392C98BA-E7B8-44ED-964B-82FC48162924@mnot.net>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: Apps Discuss <discuss@apps.ietf.org>
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org

Here's my take as AD on some of the interesting topics in this thread:

1. HTTP Digest Authentication

The SASL WG appears to have decided that SASL DIGEST-MD5 is not a useful 
authentication mechanism for a number of technical reasons.  I would be 
uncomfortable having a WG spend a lot of time refining the existing HTTP Digest 
mechanism based on that experience.  However, documenting the i18n behavior of 
deployed implementations sounds like a sensible thing to do.

2. HTTP Security

Phishing demonstrates that HTTP's present security mechanisms are not adequate 
to meet some important requirements of the present users of the protocol.  I 
would be uncomfortable moving HTTP from Draft Standard to Standard given this 
situation.  It's likely that new work on HTTP security mechanisms (as outlined 
by draft-hartman-webauth-phishing) is necessary.  However, even with the 
present security situation, I have no doubt that RFC 2616 is widely useful and 
improving the technical clarity of the base specification is good work that 
would benefit the Internet community.  The minimum work necessary to make a 
draft standard revision of the base specification complete would be to clearly 
document the limitations of the presently deployed HTTP security mechanisms and 
the fact they are not adequate for all situations.  Beyond that I consider it 
inappropriate to hold publication of a useful revision hostage to new security 
engineering work.  That opinion may not be shared by others on the IESG. 
Regardless, I would very much like to see forward progress on the HTTP security 
situation.

3. One vs. Two WGs

I would support the formation of two separate WGs: HTTP and HTTP security as 
the people who have appropriate expertise for those efforts are not identical. 
Indeed I'd be uncomfortable with a single WG that was both revising 2616 and 
designing new HTTP security mechanisms as the latter may be helped by the 
attention of security experts that likely have no interest in the former.

4. Specification Rewrite

Because the IETF process gives quite a bit of control to the document editor 
and design teams, our process allows an alternate editor to produce a competing 
specification and ask for a WG consensus call to adopt that competing 
specification.  This is discussed in the following IESG Note:
   <http://www.ietf.org/IESG/STATEMENTS/Design-Teams.txt>
>From discussions here, I suspect it's unlikely an alternate specification would 
be adopted by the WG in this case, especially because it might drop the target 
status from draft to proposed for the reasons Keith mentioned.  However, this 
is an important mechanism the keep the process open.

                - Chris Newman
                Applications Area Director

v2.8.7 | Report a Bug | By Email