At 10:39 PM -0500 2/23/06, Robert Sayre wrote:
When the WG finishes this document, the security ADs are going to look for 'mandatory-to-implement' security features.
They will, but we won't know what the result will be if we don't list any. The proposal to say "do what HTTP does" is a reasonable one that might or might not pass muster with the Security ADs and/or the Apps ADs. That is, if we do what all other HTTP-using protocols do, can we be told "you have to do more"? Maybe.
That's why we added a bunch of specifics to the XML Security section in the format document.
Quite true. In the case of the format document, there was one standard way to protect XML data. For HTTP, there are many.
We have the option of asking the ADs in advance "would you allow this through", but they don't have to respond definitively. Whether or not we pick a single mandatory-to-implement security protocol, we should say why we did what we did in the document so that people in the IETF Last Call don't ask "but did you think about Xyz?".
--Paul Hoffman, Director --Internet Mail Consortium
