On Thu, 19 Oct 2006 12:29:07 -0400, Robert Sayre <rsayre@xxxxxxxxxxx> wrote: > > OK. I want to write a document that makes MTI a non-requirement for > HTTP1.1-based protocols, because I believe that is the consensus in the > HTTP community. How do I get that done? Are you trying to change general IETF policy on security requirements or just get an exception for this one case? Either way, you need to write an I-D. The latter would be easier -- the I-D should be structured as a process variance. It should explain why this particular case should be exempt from the usual requirements for secure protocol design. Such RFCs are unusual but not unprecedented; Alex Zinin and I wrote one, RFC 4278, -- and it was a security-related variance -- where we knowingly approved a security protocol that does not meet today's standards. (More precisely, the variance was to approve a downref in maturity, to let a Draft Standard have a normative dependency on a Proposed Standard security document, because the security document is too flawed to be promoted to Draft. 4278 explains why we think it's acceptable in this context.) (Note, btw, that I'm not familiar with the specifics of this particular protocol, so I have no opinion on whether or not I personally would support such a waiver.) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf