Your points granted, the feeling of the HTTP-using community is, by
and large, that HTTP security/authz as it stands is “good enough”.
Are you arguing that the security of HTTP 2.0 should be required to be
qualitatively better? If so, someone is going to need to provide some
useful language to put in the draft charter so that we can argue about
specifics not armwaving.
-Tim
On Thu, Feb 23, 2012 at 10:00 AM, Leif Sawyer <lsawyer(_at_)gci(_dot_)com>
wrote:
I've got the last 2 decades of experience trying to deal with security on the
network.
95% is dealing with the peculiarities of the "bolt-on" after-thoughts.
I would much prefer seeing security designed-in, with the flexibility to
deal with
the future...
________________________________________
From: ietf-bounces(_at_)ietf(_dot_)org [ietf-bounces(_at_)ietf(_dot_)org] On
Behalf Of RJ Atkinson [rja(_dot_)lists(_at_)gmail(_dot_)com]
Sent: Thursday, February 23, 2012 8:59 AM
To: ietf(_at_)ietf(_dot_)org
Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)
On 23 Feb 2012, at 11:13 , Julian Reschke wrote:
On 2012-02-22 18:01, RJ Atkinson wrote:
Security that works well and is practical to implement
needs to be designed-in, not bolted-on later.
I would say: security needs to be orthogonal.
There are at least 2 decades of experience that
security has to be design-in, rather than bolted-on,
for it to work well -- and for it to be practical
to implement.
I hear that you don't agree, but the IETF experience
on this specific point really is quite clear. Add-on
security doesn't work.
Yours,
Ran
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf