W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: security requirements

From: Paul Leach <paulle@windows.microsoft.com>
Date: Fri, 20 Oct 2006 11:10:38 -0700
Message-ID: <76323E9F0A911944A4E9225FACFC55BA02810454@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>

I don't get it. An application of HTTP could certainly say that a
conforming implementation has to be based on an implementation of HTTP
that supports Digest (for example). That should satisfy the MTI rule,
wouldn't it? This doesn't seem that hard, once the rules and the
motivation for them are understood.

Or, a new auth mechanism for HTTP could be created, and then the
application could make that mechanism mandatory. The downside would be
that not many conforming implementations would initially exist until the
new mechanism was widely deployed, but if the new mechanism had enough
value, then the fact that it was MTI for valuable HTTP application would
hasten its deployment.

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de] 
Sent: Friday, October 20, 2006 3:11 AM
To: HTTP Working Group
Cc: Paul Leach
Subject: Re: security requirements

But Robert's complaint was triggered by the IESG asking for that kind of

security mechanism for specs that just happen to *use* HTTP, such as 
AtomPub, CalDAV or XCAP. Those are applications of HTTP, not new
protocols.

Best regards, Julian
Received on Friday, 20 October 2006 18:08:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT