On 5/11/20 10:17 PM, Benjamin Kaduk wrote:
On Thu, May 07, 2020 at 02:05:53PM -0700, Michael Thomas wrote:
So here's the question: the flows that I created are definitely over the
wire. But they are over the wire between really one party, the web site
owner, since they control the code (= server, client js) on both ends.
However as everybody knows, security is not easy so getting those flows
*correct* is very hard. I have some experience here, and it's mainly
telling me that I'm sure I got things wrong. So what is the policy
within IETF where a site could roll their own, but really shouldn't
because it ought to be vetted? Is standardizing such a thing in scope
in IETF or other standards bodies? Because at its heart is not
interoperability across implementation, but vetting a security design
that goes over the wire.
If I understand you correctly, it can be in scope to write up
(informationally, usually) a protocol for sending stuff over the wire
between two endpoints controlled by the same entity that avoids
security-relevant pitfalls.
I guess this begs the question why standards-track isn't appropriate? I
mean, lots of $MEGACORPS might just as well be different organizations
when it comes to interoperability issues. And they certainly have all of
the same problems of each group rolling their own (badly). And of course
standards mean that there's review, which is especially important with
security related stuff.
Mike
