ietf
[Top] [All Lists]

Re: with merit?

2006-10-19 10:33:37
On Thu, 19 Oct 2006 12:29:07 -0400, Robert Sayre <rsayre(_at_)mozilla(_dot_)com>
wrote:


OK. I want to write a document that makes MTI a non-requirement for 
HTTP1.1-based protocols, because I believe that is the consensus in the 
HTTP community. How do I get that done?

Are you trying to change general IETF policy on security requirements or
just get an exception for this one case?  Either way, you need to write an
I-D. The latter would be easier -- the I-D should be structured as a
process variance.  It should explain why this particular case should be
exempt from the usual requirements for secure protocol design.  Such RFCs
are unusual but not unprecedented; Alex Zinin and I wrote one, RFC 4278,
-- and it was a security-related variance -- where we knowingly approved a
security protocol that does not meet today's standards.  (More precisely,
the variance was to approve a downref in maturity, to let a Draft Standard
have a normative dependency on a Proposed Standard security document,
because the security document is too flawed to be promoted to Draft.  4278
explains why we think it's acceptable in this context.)

(Note, btw, that I'm not familiar with the specifics of this particular
protocol, so I have no opinion on whether or not I personally would
support such a waiver.)

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>