Re: [websec] handling STS header field extendability

[Barry Leiba <barryleiba@computer.org>]

>>> I'd also noted that we need to decide on a IANA policy to declare.
>>
>> Do we need to do this?  Assuming the proposed resolution achieves
>> consensus (and there have been no nays yet), we're not setting up a
>> registry. I don't think we get to set a policy for a registry we're not
>> setting up.
>
> <hat="WG chair">
> AFAIK from an administrative perspective, Yoav is right.
> In general we set the IANA policy for registry updates at creation of the
> registry. So no need to do it here without the registry (assuming we don't
> create an IANA registry).

The point in this case is that this is a response to Ben's GenART
review, which suggested that we at least nail down the registration
policy at this point, lest someone come along later with an extension
and create the registry with, say, an FCFS policy (probably too
light), or perhaps with a Standards Action policy (arguably too
heavy).

The WG can validly disagree with Ben's review, and unless Russ (or
another AD) strongly agrees and uses it as a DISCUSS point, we're
done.  Even in that case, the WG can still argue against it and try to
convince the AD that it's OK not to do this... and, as Tobias point
out, we usually don't.

So maybe we should modify what Jeff said, thus:

>>> I'd also noted that we need to decide on a IANA policy to declare.

"We need to decide on an IANA policy *or* explicitly decide that we
don't want to choose that now, and leave it to whoever creates the
registry later."

Apparently, we have at least two votes for the latter, from Yoav and Tobias.

Barry (with AD hat off, but handily tucked at the ready under his arm)