W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements

From: Robert Sayre <sayrer@gmail.com>
Date: Fri, 20 Oct 2006 14:12:24 -0400
Message-ID: <68fba5c50610201112p59e866e3o27b329301821b984@mail.gmail.com>
To: "Paul Leach" <paulle@windows.microsoft.com>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>

On 10/20/06, Paul Leach <paulle@windows.microsoft.com> wrote:
> IMO, the biggest threat is that vendors ship implementations that simply
> _can't_ be configured to interoperate.
>

Right, that's the conventional wisdom. Experience with HTTP shows that
server deployments drive clients to support as many HTTP security
mechanisms as they can. Undocumented mechanisms have been a problem.

HTTP security now takes place via forms, cookies, redirects, and
rubber bands. I think the IETF should create a bunch of new mechanisms
and see which one wins. Maybe there will be something to require in
2010.

> I don't see any technical solution.

Right.

-- 

Robert Sayre
Received on Friday, 20 October 2006 18:12:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT