Thanks for the response, Cyrus! On Fri 2015-01-30 11:39:33 -0500, Cyrus Daboo wrote: > Whilst that is true I don't think we should be required to deal with issues > that are generic to HTTP itself (and in some cases already covered in the > base HTTP specs - e.g. server log information).
I'm not convinced by this argument. This proposal sets up a particular profile that an HTTP server is likely to run, with clients that are going to access it in a very particular pattern under normal circumstances. As a result, we can characterize the expected system behavior in much more detailed ways, so we can think more concretely about how and why logs (and other aspects of HTTP operation) might be useful or harmful. For example, the spec already says that the server needs to be configured to work with HTTPS. that's distinct from many HTTP server configurations in the wild, and with good reason. Why doesn't this apply to other aspects of HTTP operation like logging? (side note: i just noticed, do you want to require the clients to use HTTPS with the SNI extension of TLS? If you do make that a requirement, it would make it easier for Providers to deploy their systems on shared IP addresses) --dkg
signature.asc
Description: PGP signature
_______________________________________________ ietf-privacy mailing list ietf-privacy@ietf.org https://www.ietf.org/mailman/listinfo/ietf-privacy
