W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 20 Oct 2006 10:03:15 +0200
Message-ID: <453882C3.3060609@gmx.de>
To: Robert Sayre <sayrer@gmail.com>
CC: Larry Masinter <masinter@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>

Robert Sayre schrieb:
> ...
> I think anyone entertaining an HTTP revision is a fool to do so
> without a clear statement on security requirements. The last upgrade
> HTTP security received was SSL, courtesy of Netscape Communications.
> ...

Well, as Roy pointed out, a revision of HTTP/1.1 must not break 
implementations that comply to RFC2616. As RFC2616 doesn't have MTI 
security, this is it.

If the IESG doesn't allow a bug-fix revision of a standards track 
document for the reasons above, it really should stick to it's own rules 
(RFC2026), declare that spec as "historic", and - should the spec be of 
any importance - start an activity to define a successor specification. 
In general, the whole issue revising an IETF spec IMHO is very 
problematic; compare that with the W3C which has failed with XML 1.1, 
but at least maintains XML 1.0 properly (4th edition published in August).

Best regards, Julian
Received on Friday, 20 October 2006 08:03:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT