W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: David Morris <dwm@xpasc.com>
Date: Tue, 17 Oct 2006 18:50:58 -0700 (PDT)
To: Robert Sayre <sayrer@gmail.com>
cc: Bjoern Hoehrmann <derhoermi@gmx.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0610171741160.5589-100000@egate.xpasc.com>



On Tue, 17 Oct 2006, Robert Sayre wrote:

>
> On 10/17/06, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> > * Robert Sayre wrote:
> > >On 10/17/06, Lisa Dusseault <lisa@osafoundation.org> wrote:
> > >>
> > >> Since there are so many ways to approach this, so many variations in
> > >> what specs are revised and how they depend upon each other, I can't
> > >> say whether I, or the IESG, expect a revision to RFC2616 to "step
> > >> into" the area covered by RFC2617.
> > >
> > >Perhaps we should poll the HTTP community as a start. Does anyone
> > >think mandatory-to-implement security mechanisms will be helpful and
> > >realistic?
> >
> > Of course! Are you proposing to remove all the existing mandatory-to-
> > implement security mechanisms in RFC 2616 and RFC 2617?
>
> Björn,
>
> This is not a very helpful answer. Let me be more specific.
>
> Does anyone think mandatory-to-implement authentication schemes or
> transport-layer security mechanisms will be helpful and realistic?

Yes ... w/o mandatory requirements there will be less availablity of
support for security features. Mandatory requirements mean a software
publisher can't claim compliance w/o implementing the feature. It is
easier to report defects in a claimed feature than it is to get a 'new'
feature implemented.
Received on Wednesday, 18 October 2006 02:19:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT