On Thu, May 07, 2020 at 02:05:53PM -0700, Michael Thomas wrote: > > So here's the question: the flows that I created are definitely over the > wire. But they are over the wire between really one party, the web site > owner, since they control the code (= server, client js) on both ends. > However as everybody knows, security is not easy so getting those flows > *correct* is very hard. I have some experience here, and it's mainly > telling me that I'm sure I got things wrong. So what is the policy > within IETF where a site could roll their own, but really shouldn't > because it ought to be vetted? Is standardizing such a thing in scope > in IETF or other standards bodies? Because at its heart is not > interoperability across implementation, but vetting a security design > that goes over the wire. If I understand you correctly, it can be in scope to write up (informationally, usually) a protocol for sending stuff over the wire between two endpoints controlled by the same entity that avoids security-relevant pitfalls. -Ben
