W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Robert Sayre <sayrer@gmail.com>
Date: Sat, 4 Nov 2006 14:59:23 -0500
Message-ID: <68fba5c50611041159g331e2230r3e9fb4c52be51902@mail.gmail.com>
To: "Henrik Nordstrom" <hno@squid-cache.org>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>

On 11/4/06, Henrik Nordstrom <hno@squid-cache.org> wrote:
> lör 2006-11-04 klockan 10:47 -0800 skrev Lisa Dusseault:
>
> > So I guess a decision that CLIENTS MUST support Basic and Digest in a
> > new HTTP RFC, might be signalled by a minor version bump.
>
> I too don't see thy a version bump would even be remotely needed in this
> case. It's already the server who dictates which authentication
> protocols is acceptable to the server,

An HTTP/1.1 message is not a guarantee that the sender supports any
authentication mechanism. Servers receiving a hypothetical HTTP/1.2
message could make that assumption.

> HTTP version numbers do have an implicit defined meaning:

They have an explicit meaning. See RFC 2145. Additionally, RFC 2616
defines the term "conditional compliance".  RFC 2616 section 3 also
defines the term "conditional compliance", which is not compatible
with the addition of a MUST-level security mechanism.

"An HTTP client MUST NOT send a version for which it is not at least
conditionally compliant.'

-- 

Robert Sayre
Received on Saturday, 4 November 2006 19:59:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT