W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: security requirements

From: Paul Leach <paulle@windows.microsoft.com>
Date: Fri, 20 Oct 2006 02:04:59 -0700
Message-ID: <76323E9F0A911944A4E9225FACFC55BA028102F3@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: HTTP Working Group <ietf-http-wg@w3.org>

I don't think the IETF bashing is warranted. They made a mistake in not
requiring us to specify an MTI security mechanism in 2617 (and in having
2616 require that a conformant implementation support 2617). There was
no tacit agreement by some "in-crowd" that we didn't have to live by the
rules.

As I indicated in an earlier post, perhaps it was the prevalence of
legitimate anonymous access with HTTP that caused this oversight. Given
the to-do raised by Mr. Sayre recently, I doubt that anyone doing
HTTP/1.2 will have to worry about (or could count on) a similar
oversight :-)

Historically, the rules evolved because for a long time most protocol
designers totally ignored security -- throwing in plain-text passwords
at best. Hence the requirement to have non-plaintext-password
authentication, and security considerations sections. The notion of MTI
actually is totally independent of security -- it is a general principle
of protocol design for any protocol that has options, in order to
guarantee that conforming implementations can always be configured to
interoperate. (This was in reaction to the ISO protocol mess with
non-interoperable "profiles" of the 1980's.)
Received on Friday, 20 October 2006 09:04:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT