assorted ramblings about UPDATE and POST

[Habbie]

1. allowing the UPDATE opcode (or anything else that affects state) in GET requests is wrong, but the draft could get away with just saying that.
2. one could argue that allowing UPDATE, by default, is a security problem in (bad) network setups that currently do not ACL updates and get away with this because they trust their users - but they may not trust random sites on the Internet. When I discussed this with Paul his stance appeared to be that these people should be ACLing then.
3. We cannot be exhaustive about what opcodes affect things, so when writing words on this, be clear about the incompleteness.