Re: Security Properties, was: Rechartering HTTPbis

Mark Nottingham <mnot@mnot.net> Fri, 03 February 2012 01:01 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99A8011E8075 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Feb 2012 17:01:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.533
X-Spam-Level:
X-Spam-Status: No, score=-8.533 tagged_above=-999 required=5 tests=[AWL=2.066, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVYI7y5jwSm5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Feb 2012 17:01:14 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id C1C3411E8071 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 Feb 2012 17:01:14 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Rt7VK-0006RE-Nv for ietf-http-wg-dist@listhub.w3.org; Fri, 03 Feb 2012 00:59:54 +0000
Received: from aji.keio.w3.org ([133.27.228.206]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1Rt7V6-0006QH-6m for ietf-http-wg@listhub.w3.org; Fri, 03 Feb 2012 00:59:40 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by aji.keio.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1Rt7V1-0003N3-4S for ietf-http-wg@w3.org; Fri, 03 Feb 2012 00:59:39 +0000
Received: from mnot-mini.mnot.net (unknown [118.209.240.235]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 254D722E258; Thu, 2 Feb 2012 19:59:04 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset="iso-8859-1"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <4F2A90E0.1010909@gmx.de>
Date: Fri, 03 Feb 2012 11:58:59 +1100
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0B467AA9-B006-4400-89F5-AE4207C23C74@mnot.net>
References: <4429D3C2-9696-4110-B5BE-60DFB8A3101F@mnot.net> <4F2A90E0.1010909@gmx.de>
To: Julian Reschke <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.1257)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: aji.keio.w3.org 1Rt7V1-0003N3-4S 831e68c79327119348fea2f009075ceb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Security Properties, was: Rechartering HTTPbis
Archived-At: <http://www.w3.org/mid/0B467AA9-B006-4400-89F5-AE4207C23C74@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/12306
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Rt7VK-0006RE-Nv@frink.w3.org>
Resent-Date: Fri, 03 Feb 2012 00:59:54 +0000

On 03/02/2012, at 12:34 AM, Julian Reschke wrote:

> On 2012-01-24 04:55, Mark Nottingham wrote:
>> ...
>>   Feb 2012    Working Group Last Call for HTTP Security Properties
>> ...
> 
> Out of curiosity: this document hasn't changes since March 2010. Do we plan to do any additional work on it?


That's a good question. Originally, this document was put into our charter to address the need for Mandatory-to-Implement security in HTTP; since we couldn't make it a hard requirement, it was thought that educating users / implementers / administrators was the next best thing.

In the meantime, it's been difficult to get forward momentum on the document (perhaps because it is so broad, and because for it to be useful, it needs to be detailed; however, if it's detailed, it will likely become stale quickly, IMO). 

We should discuss this as part of re-chartering; if HTTP/2.0 has MTI security, it could change things.

Regards,

--
Mark Nottingham   http://www.mnot.net/