Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#549 closed editorial (incorporated)

augment security considerations with pointers to current research

Reported by: julian.reschke@… Owned by: draft-ietf-httpbis-p1-messaging@…
Priority: normal Milestone: 26
Component: p1-messaging Severity: In IESG Evaluation
Keywords: Cc:

Description

Stephen Farrell

Discuss (2013-12-19)

There was originally supposed to be a separate deliverable to describe the security properties of HTTP, but that's not happening. I think its fair to say that the security considerations here (or across the entire set) don't really do all of that as well. I think that does leave a gap. However, I'm not sure what to do about that, since I don't believe there's any real chance of getting anyone to address this gap - its been tried and apparently failed, and with lots of security work in HTTP/2.0, its extremely unlikely that a victim will be found for this un-fun task.

That said, I do think it'd be worthwhile if the authors made an attempt to fill that gap by spending some cycles on finding a good set of references to HTTP security topics and adding those to the security considerations sections of p1 and/or p2.

Now, I'm sure that the authors won't want to do that (who ever wants to do a state-of-the-art study? even a tiny one like this) so the point I want to DISCUSS with the IESG initially and then with the chair and authors is whether or not that's a reasonable ask. (So, authors, no need to chime in just yet.)

Attachments (1)

549.diff (1018 bytes) - added by julian.reschke@… 6 years ago.
Proposed patch for p1

Download all attachments as: .zip

Change History (10)

comment:1 Changed 6 years ago by julian.reschke@…

  • Summary changed from augment security considerations to augment security considerations with pointers to current research

Changed 6 years ago by julian.reschke@…

Proposed patch for p1

comment:2 Changed 6 years ago by julian.reschke@…

From [2547]:

augment security considerations with pointers to current research (see #549)

comment:3 Changed 6 years ago by julian.reschke@…

  • Resolution set to incorporated
  • Status changed from new to closed

comment:4 Changed 6 years ago by fielding@…

From [2565]:

(editorial) Add security section on injection attacks; reference the OWASP Guide instead of the wiki; see #520 and #549

comment:5 Changed 6 years ago by fielding@…

From [2567]:

(editorial) Use more specific headers in security section for clarity and put related sections next to each other; see #520 and #549

comment:6 Changed 6 years ago by fielding@…

From [2568]:

(editorial) update security section intro for p7; see #520 and #549

comment:7 Changed 6 years ago by fielding@…

From [2569]:

(editorial) OWASP only provides useful additional info for web application semantics and authentication; see #520 and #549

comment:8 Changed 6 years ago by fielding@…

From [2609]:

Augment security considerations with pointers to current research and explanation of the considerations specific to HTTP message parsing and routing; see #531 and #549

comment:9 Changed 6 years ago by fielding@…

From [2612]:

(editorial) minor tweaks to new security sections (suggested by mnot); see #549

Note: See TracTickets for help on using tickets.