Re: [HASMAT] moving forward

Barry Leiba <> Wed, 25 August 2010 01:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B125A3A6A65 for <>; Tue, 24 Aug 2010 18:17:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.765
X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[AWL=-0.166, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bw6OE3ah640L for <>; Tue, 24 Aug 2010 18:17:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D2F7F3A6900 for <>; Tue, 24 Aug 2010 18:17:25 -0700 (PDT)
Received: by iwn3 with SMTP id 3so93061iwn.31 for <>; Tue, 24 Aug 2010 18:17:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:content-type; bh=kW8qyqzZSe+9b8XUFcGPSbJIgeHa4EY7MbXPIjBRhhE=; b=G7BWV1QRCraB1rFDQ+Bi7QV3dvD/7k1XPfnfF9YtbhHa/6RhvseFBgLT5oEDkke+8F n8JjCkhtZOI5VEPBUJ2YwmPHnBzgRLjbS17Nax03Z5f+uR0BIbnK8Zo1fk6jg+x5g1aF Hyb1v6p5RXBgVK12zKChWsntsF/heb57ijxNk=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type; b=RbK8Y741VOs6TNkrUs4LMyTi2SKC4ao3Zho5BzuTpNQmXG7fg3yeeMlUhOFxKoazeJ aBclB1Z4sL4dCyKMZnc0tD2A1u/gkYFuVhse7eoV4ab6yqeCoSDchcCinSp8iO3GB1J6 /yyVg/rV+EBjiuEF3IGSPzGw6V3QHCQJ4GnWo=
MIME-Version: 1.0
Received: by with SMTP id 7mr2411706ice.52.1282699078807; Tue, 24 Aug 2010 18:17:58 -0700 (PDT)
Received: by with HTTP; Tue, 24 Aug 2010 18:17:58 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Tue, 24 Aug 2010 21:17:58 -0400
Message-ID: <>
From: Barry Leiba <>
To: IETF HASMAT list <>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [HASMAT] moving forward
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Aug 2010 01:17:26 -0000

As I've said to Jeff back in Pays-Bas, I'm less concerned about the
name than about the charter.  The problem description at the BoF said
that a main issue is that this stuff has been previously dealt with in
a haphazard manner.  We then looked at three haphazard drafts, which
the charter proposes to standardize.  This doesn't address the core

What does address the core problem is the part about studying the
problem space.  From one of the proposed charters:

> In addition, this working group will consider the overall topic of HTTP
> application security and compose a "problem statement and requirements"
> document that can be used to guide further work.

I'd like to see much more emphasis placed on this part, and have the
scope of this hashed out a bit more.  I think the focus of the WG
should be on this, with the three existing drafts as something we do
along the way... rather than the other way 'round, as it is now.