On 2/22/12 11:39 AM, Paul Hoffman wrote:
On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote:
Regardless of that you do have a fair point that asking apps folks
to do stuff that'll please security folks might be asking for
However, the counter to that is that security folks doing stuff
without enough apps input might produce something that won't get
adopted which also doesn't produce the right end result.
Anyway, I think this topic, if tackled, won't lack interested
participants and will get plenty of security and apps input no
matter how we organise it.
Peter St.Andre's suggestion of a separate WG to deal specifically
with HTTP authentication seems like the best way to be sure both sets
of parties are fully involved. If the IESG charters it within the
next few months, the HTTP 2.0 work can be informed by any changes (if
any) that are needed.
By the way, I forwarded this message to the http-auth(_at_)ietf(_dot_)org list
(yes, we already have a discussion list for these topics). The small
sample of replies indicates that (1) folks would prefer to broaden the
topic to web authentication, not strictly HTTP authentication and (2)
not everyone who is interested in these topics subscribes to the more
general ietf-http-wg(_at_)w3(_dot_)org list.
Ietf mailing list