+1 to using the tracker so we can narrow the scope of disagreement and achieve closure.
On 10/15/11 5:54 PM, Adam Barth wrote: > Yeah, I think using the issue tracker would be very helpful for making > progress. Ideally we'd break these issues down into small, manageable > topics. For example, rather than having a single issue about scope, > we'll probably be better off with separate issues about whether > particular things are or are not in scope. > > Adam > > > On Sat, Oct 15, 2011 at 4:52 PM, Larry Masinter <[email protected]> wrote: >> Could we start using the IETF tracker to keep track of our conversation on >> the issues on MIME sniffing? >> >> The interaction with a "nosniff" header should be one issue. >> The other three big issues that come to mind are >> >> * "scope" (do what situations does this apply) >> * "opt-in case-by-case" (whether one either sniffs ALWAYS or sniffs NEVER, >> or whether it's more nuanced and based on expectation) >> * "normative algorithm vs. invariants for specifications". >> >> >> I'm willing to write up these issues and the sniffing ones from >> http://tools.ietf.org/html/draft-masinter-mime-web-info , and I hope we can >> capture Pete Resnick's issues as well as Alexey's. >> >> Larry >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf Of >> Tobias Gondrom >> Sent: Sunday, October 02, 2011 2:44 PM >> To: [email protected] >> Cc: [email protected] >> Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt >> Importance: Low >> >> <hat="individual"> >> Whether browser will implement it, can't tell. Maybe we can learn more when >> we progress further with the mime-sniff draft. >> >> I don't have a strong opinion on the nosniff header. >> Depending on where the mime-sniff debate will lead us, it might be a way to >> mitigate concerns that in certain cases you really SHOULD NOT or MUST NOT >> (RFC2119) sniff. Well and with such a header you could enforce exactly that >> for your sources, without breaking other unknown things/sites - which is the >> main reason for many browser vendors to start do sniffing in the first place. >> (in one way nosniff could even be a migration path to less sniffing....) >> >> Best regards, Tobias >> >> >> >> On 01/10/11 15:30, Phillip Hallam-Baker wrote: >>> On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth<[email protected]> wrote: >>>> On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst" >>>> <[email protected]> wrote: >>>>> On 2011/09/29 11:45, Adam Barth wrote: >>>>>> On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" >>>>>> <[email protected]> wrote: >>>>>>> On 2011/09/29 8:26, Adam Barth wrote: >>>>>>>> As I recall, the nosniff directive is pretty controversial. >>>>>>> But then, as I recall, the whole business of sniffing is pretty >>>>>>> controversial to start with. Are there differences between the >>>>>>> controversiality of sniffing as such and the controversiality of >>>>>>> the nosniff directive that explain why one is in the draft and the >>>>>>> other is not? >>>>>> The reason why one is in and the other isn't is just historical. >>>>>> nosniff didn't exist at the time the document was originally written. >>>>> Your first answer sounded as if the nosniff directive was too >>>>> controversial to be included in any draft, but your second answer >>>>> seems to suggest that it was left out by (historical) accident, and >>>>> that it might be worth to include it. >>>> The essential question isn't whether we should include it in the >>>> draft. The essential question is whether folks want to implement it. >>>> If no one wants to implement it, putting it in the draft is a >>>> negative. If folks want to implement, then we can deal with the >>>> controversy. >>> +1 >>> >>> The controversy seems to be of the 'cut off nose to spite face' >>> variety. Sniffing is definitely terrible from a security perspective >>> but people do it. Java and Java Script were terrible as well but >>> people did them and then left the rest of us with a mess that had to >>> be fixed slowly over then next ten years. >>> >>> Sure this is not something we should have to think about but the fact >>> is that the browsers do it and it is better for the standards to >>> describe what the browsers actually do than what people think they >>> should do. >>> >>> _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
