Paul Hoffman wrote: > > At 10:39 PM -0500 2/23/06, Robert Sayre wrote: >> When the WG finishes this document, the security ADs are going to look >> for 'mandatory-to-implement' security features. > > They will, but we won't know what the result will be if we don't list > any. The proposal to say "do what HTTP does" is a reasonable one that > might or might not pass muster with the Security ADs and/or the Apps > ADs. That is, if we do what all other HTTP-using protocols do, can we be > told "you have to do more"? Maybe. >
At this point, so what? Anything is better than what we currently have in there (which is essentially nothing) and no strong arguments for anything more detailed and specific than what's in PaceFixSecurityConsiderations have been made. Keep it simple. Point to 2616 and 2617. And if the AD's come back and say we need more, so be it, we ask 'em what they want to see and we add it in if it makes sense. - James
