Sam Hartman wrote:
Ah. I must admit that I find the whole concept of informational
documents a heck of a lot less useful, but your reading of 2026 is of
course correct. I'll probably still end up treating informational
documents as close to ietf consensus statements (but not
recommendations) in my head because honestly I cannot find any other
way to think about it that makes any sense to me. I certainly view an
informational docmuent that has gone through an ietf last call as a
statement from the IETF. We'll add this to one of the many areas
where I completely fail to get RFC 2026.
I definitely don't want to block other work with this document. I
think that to be particularly useful I'd like to get to a point where
we can say that having authentication schemes that meet these
requirements would be useful and that for some value of we
significantly greater than me, we think that would be a useful step
along the road to combatting phishing. I thought I was trying to have
that discussion here; you at least seem to think that is not the case.
At some future point we might charter work with the goal of doing
something similar to those requirements; in such a case, we might
decide to hold that work to these requirements. We're not discussing
doing that today.
If I believe there is a reasonable chance of success I'm willing to
put in significant effort towards achieving my goal. Absent that
belief I'm more interested in getting something out and working on
running code.
So, Here is a proposed IESG note that I think is consistent with my
intent and RFC 2026:
This document proposes requirements for HTTP authentication that are
intended to help combat the problem of phishing. These requirements
attempt to reduce the consequences of a user being tricked into using
a server provided by an attacker instead of the server they intended
to trust. These requirements have no normative force; publication of
these requirements does not bind future work to follow them.
Sam, I guess the question I have is why an individual submission is actually
the right vehicle for this sort of document. From the outside -- though
pretty
interested in the phishing problem -- I'd think that a more community
consensus
type of document with more teeth (ie, some normative force) would be a
Good Thing if consensus could be found. I read quite a few of these
comments
as being more of the nature that there wasn't a very good forum to shape the
content. I can sympathize with the notion that comments on IETF list during
last call for a document as important and likely controversial is
insufficient.
This list is noisy enough after all.
Mike
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf