mnot
commented
10 years ago julian.reschke@gmx.de changed summary from augment security considerations to augment security considerations with pointers to current research
Closed mnot closed 3 years ago
mnot
commented
10 years ago julian.reschke@gmx.de changed summary from augment security considerations to augment security considerations with pointers to current research
mnot
commented
10 years ago 549.diffProposed patch for p1
mnot
commented
10 years ago julian.reschke@gmx.de commented:
From 2547:
augment security considerations with pointers to current research (see #549)
mnot
commented
10 years ago incorporatednew to closedmnot
commented
10 years ago fielding@gbiv.com commented:
From 2565:
(editorial) Add security section on injection attacks; reference the OWASP Guide instead of the wiki; see #520 and #549
mnot
commented
10 years ago fielding@gbiv.com commented:
From 2567:
(editorial) Use more specific headers in security section for clarity and put related sections next to each other; see #520 and #549
mnot
commented
10 years ago fielding@gbiv.com commented:
From 2568:
(editorial) update security section intro for p7; see #520 and #549
mnot
commented
10 years ago fielding@gbiv.com commented:
From 2569:
(editorial) OWASP only provides useful additional info for web application semantics and authentication; see #520 and #549
Stephen Farrell
Discuss (2013-12-19)
There was originally supposed to be a separate deliverable to describe the security properties of HTTP, but that's not happening. I think its fair to say that the security considerations here (or across the entire set) don't really do all of that as well. I think that does leave a gap. However, I'm not sure what to do about that, since I don't believe there's any real chance of getting anyone to address this gap - its been tried and apparently failed, and with lots of security work in HTTP/2.0, its extremely unlikely that a victim will be found for this un-fun task.
That said, I do think it'd be worthwhile if the authors made an attempt to fill that gap by spending some cycles on finding a good set of references to HTTP security topics and adding those to the security considerations sections of p1 and/or p2.
Now, I'm sure that the authors won't want to do that (who ever wants to do a state-of-the-art study? even a tiny one like this) so the point I want to DISCUSS with the IESG initially and then with the chair and authors is whether or not that's a reasonable ask. (So, authors, no need to chime in just yet.)
Reported by julian.reschke@gmx.de, migrated from https://trac.ietf.org/trac/httpbis/ticket/549