W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Paul Leach <paulle@windows.microsoft.com>
Date: Wed, 18 Oct 2006 02:43:44 +0000
Message-ID: <76323E9F0A911944A4E9225FACFC55BA02784D82@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: Robert Sayre <sayrer@gmail.com>, Lisa Dusseault <lisa@osafoundation.org>
CC: Julian Reschke <julian.reschke@gmx.de>, <lists@ingostruck.de>, Larry Masinter <masinter@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>




One could argue that because so much of HTTP access is legitimately
anonymous, it should be OK for a conforming implementation to not have
to implement Basic or Digest. 

However, that doesn't mean that we couldn't spec it such that IF one or
more authentication mechanisms are implemented, that set must include
XXX (where XXX is the defined mandatory-to-implement auth mech).

I believe that MTI is a good idea, for the case where there is more than
one reasonable choice, in order to guarantee that all implementations
can be configured to interop.


-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
On Behalf Of Robert Sayre
Sent: Tuesday, October 17, 2006 4:28 PM
To: Lisa Dusseault
Cc: Julian Reschke; lists@ingostruck.de; Larry Masinter; HTTP Working
Group
Subject: security requirements (was: Updating RFC 2617 (HTTP Digest) to
use UTF-8)


On 10/17/06, Lisa Dusseault <lisa@osafoundation.org> wrote:
>
> Since there are so many ways to approach this, so many variations in
> what specs are revised and how they depend upon each other, I can't
> say whether I, or the IESG, expect a revision to RFC2616 to "step
> into" the area covered by RFC2617.

Perhaps we should poll the HTTP community as a start. Does anyone
think mandatory-to-implement security mechanisms will be helpful and
realistic?

-- 

Robert Sayre
Received on Wednesday, 18 October 2006 07:14:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT