Your points granted, the feeling of the HTTP-using community is, by and large, that HTTP security/authz as it stands is “good enough”. Are you arguing that the security of HTTP 2.0 should be required to be qualitatively better? If so, someone is going to need to provide some useful language to put in the draft charter so that we can argue about specifics not armwaving. -Tim On Thu, Feb 23, 2012 at 10:00 AM, Leif Sawyer <lsawyer@xxxxxxx> wrote: > I've got the last 2 decades of experience trying to deal with security on the network. > > 95% is dealing with the peculiarities of the "bolt-on" after-thoughts. > > I would much prefer seeing security designed-in, with the flexibility to deal with > the future... > > ________________________________________ > From: ietf-bounces@xxxxxxxx [ietf-bounces@xxxxxxxx] On Behalf Of RJ Atkinson [rja.lists@xxxxxxxxx] > Sent: Thursday, February 23, 2012 8:59 AM > To: ietf@xxxxxxxx > Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) > > On 23 Feb 2012, at 11:13 , Julian Reschke wrote: >> On 2012-02-22 18:01, RJ Atkinson wrote: >>> Security that works well and is practical to implement >>> needs to be designed-in, not bolted-on later. >> >> I would say: security needs to be orthogonal. > > There are at least 2 decades of experience that > security has to be design-in, rather than bolted-on, > for it to work well -- and for it to be practical > to implement. > > I hear that you don't agree, but the IETF experience > on this specific point really is quite clear. Add-on > security doesn't work. > > Yours, > > Ran > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf