IC-SC members: we need a path forward to address the issues identified at the plug fest regarding the HTTPS Transfer Specification. The specific items are:
1) Support for plain HTTP without TLS
2) Balance of content between HTTP headers and the OpenC2 message
3) Authentication of OpenC2 messages
4) Potential use of other security protocols with HTTP
Of that list, items 2 and 3 were raised by the FW BoF and it would be helpful if they can provide more specifics regarding the problems they encountered and potential solutions. Item 1 was a general matter, given the challenges of setting up certificates for authentication in a dynamic environment like the plugÂfest. Item 4 has come up from time toÂtime.
Two basic approachesÂseem feasible to address these issues:
A) Begin developing an updated HTTPS transfer spec that incorporates options for no use of TLS and possiblyÂalternatives to TLS
B) Create a new HTTP transfer spec that only defines the use of HTTP, including updates to the message format and header usage guidance to address item #2 above. This would then lead to a revision of the HTTPS transfer spec to refer to the new HTTP spec for content handling and provide guidance for the use of TLS.
Approach (B) also provides a basis to create other transfer [security] specs that integrate non-TLS security protocols with HTTP.
Duncan Sparrell has volunteered to edit a new HTTP spec, and I'm happy to serve as co-editor.
I propose that the primary agenda item for next week's IC-SC meeting (March 4th) should be discussion of these options and selection of a way ahead.Â
Dave
David Lemire, CISSP
HII Mission Driven Innovative Solutions (HII-MDIS) â formerly G2, Inc.
Technical Solutions Division
302 Sentinel Drive | Annapolis Junction, MD 20701
Email: dave.lemire@g2-inc.com
Work: 301-575-5190 | Mobile: 240-938-9350