Re: security requirements

On 10/20/06, Paul Leach <paulle@windows.microsoft.com> wrote:
> IMO, the biggest threat is that vendors ship implementations that simply
> _can't_ be configured to interoperate.
>

Right, that's the conventional wisdom. Experience with HTTP shows that
server deployments drive clients to support as many HTTP security
mechanisms as they can. Undocumented mechanisms have been a problem.

HTTP security now takes place via forms, cookies, redirects, and
rubber bands. I think the IETF should create a bunch of new mechanisms
and see which one wins. Maybe there will be something to require in
2010.

> I don't see any technical solution.

Right.

-- 

Robert Sayre

Received on Friday, 20 October 2006 18:12:39 UTC