W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 18 Oct 2006 10:17:12 +0200
Message-ID: <4535E308.6000107@gmx.de>
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: Robert Sayre <sayrer@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>

Roy T. Fielding wrote:
> 
> On Oct 17, 2006, at 5:38 PM, Robert Sayre wrote:
>> Does anyone think mandatory-to-implement authentication schemes or
>> transport-layer security mechanisms will be helpful and realistic?
> 
> Not without changing the HTTP version number, but I suppose that
> I shouldn't assume that is obvious.  HTTP/1.1 has already been
> deployed and I have no interest in declaring any of those
> implementations broken just because they failed to anticipate a
> not-yet-specified secure auth mechanism.  That ship has sailed.
> 
> So, if anyone thinks that a secure authentication scheme is a cool
> thing, they should propose one and eventually update RFC 2617 to
> include it, at which point it will be an OPTIONAL secure auth
> mechanism for HTTP/1.1 (without any need to change RFC 2616).
> The only way to make it a REQUIRED secure auth mechanism for HTTP
> is to move on to HTTP/1.2, at which point we open the flood gates.
> 
> ....Roy

Thanks, Roy.

I think that makes it clear that a revision of HTTP/1.1 can't make that 
change, unless all existing implementations already comply to these new 
requirements (which they don't).

Best regards, Julian
Received on Wednesday, 18 October 2006 08:17:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT