- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 18 Oct 2006 10:17:12 +0200
- To: "Roy T. Fielding" <fielding@gbiv.com>
- CC: Robert Sayre <sayrer@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Roy T. Fielding wrote: > > On Oct 17, 2006, at 5:38 PM, Robert Sayre wrote: >> Does anyone think mandatory-to-implement authentication schemes or >> transport-layer security mechanisms will be helpful and realistic? > > Not without changing the HTTP version number, but I suppose that > I shouldn't assume that is obvious. HTTP/1.1 has already been > deployed and I have no interest in declaring any of those > implementations broken just because they failed to anticipate a > not-yet-specified secure auth mechanism. That ship has sailed. > > So, if anyone thinks that a secure authentication scheme is a cool > thing, they should propose one and eventually update RFC 2617 to > include it, at which point it will be an OPTIONAL secure auth > mechanism for HTTP/1.1 (without any need to change RFC 2616). > The only way to make it a REQUIRED secure auth mechanism for HTTP > is to move on to HTTP/1.2, at which point we open the flood gates. > > ....Roy Thanks, Roy. I think that makes it clear that a revision of HTTP/1.1 can't make that change, unless all existing implementations already comply to these new requirements (which they don't). Best regards, Julian
Received on Wednesday, 18 October 2006 08:17:22 UTC