W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements

From: Robert Sayre <sayrer@gmail.com>
Date: Fri, 20 Oct 2006 14:12:24 -0400
Message-ID: <68fba5c50610201112p59e866e3o27b329301821b984@mail.gmail.com>
To: "Paul Leach" <paulle@windows.microsoft.com>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>

On 10/20/06, Paul Leach <paulle@windows.microsoft.com> wrote:
> IMO, the biggest threat is that vendors ship implementations that simply
> _can't_ be configured to interoperate.

Right, that's the conventional wisdom. Experience with HTTP shows that
server deployments drive clients to support as many HTTP security
mechanisms as they can. Undocumented mechanisms have been a problem.

HTTP security now takes place via forms, cookies, redirects, and
rubber bands. I think the IETF should create a bunch of new mechanisms
and see which one wins. Maybe there will be something to require in

> I don't see any technical solution.



Robert Sayre
Received on Friday, 20 October 2006 18:12:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:40 UTC