W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: HTTP/1.1 + Digest

From: <hallam@vesuvius.ai.mit.edu>
Date: Tue, 27 Aug 96 20:27:04 -0400
Message-Id: <9608280027.AA01242@vesuvius.ai.mit.edu>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: dwm@shell.portal.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, hallam@vesuvius.ai.mit.edu

Larry>

>Writing MUST instead of SHOULD in the specification is not any way to
>force some vendor to either implement or not implement something. The
>spec should say what makes sense, not what is politically
>expedient. We should write "MUST" if non-compliance causes systems to
>break.

This is the case here. Sending passwords in the clear causes systems
to be susceptible to security problems that they would not otherwise
be vulnerable to.

Having one's system hacked is a pretty extreeme form of having it break.

	Phill
Received on Tuesday, 27 August 1996 17:35:18 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:08 EDT