W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Sat, 4 Nov 2006 21:41:07 +0100
Message-Id: <BECB6777-31AB-4A7B-9B1C-785C70D1C593@greenbytes.de>
Cc: "Henrik Nordstrom" <hno@squid-cache.org>, "HTTP Working Group" <ietf-http-wg@w3.org>
To: Robert Sayre <sayrer@gmail.com>


Am 04.11.2006 um 21:16 schrieb Robert Sayre:

>
> On 11/4/06, Robert Sayre <sayrer@gmail.com> wrote:
>> "An HTTP client MUST NOT send a version for which it is not at least
>> conditionally compliant.'
>>
>
> Sorry, that's from RFC 2145. The send button was clicked a bit  
> early. :)
>
> In any case, the requirements and semantics of HTTP version numbers
> seem clear as a bell to me. I don't see any interpretation that allows
> something as radical as the addition of a mandatory security mechanism
> without incrementing the version number.

+1.

And besides, I fail to see what shall be accomplished here. I get the  
feeling that people think that waving the magic wand of specification  
revisions will instantaneously change the world around them. It will  
not.

If the spec would be changed in this way, all a reasonable server  
could deduce from a HTTP/1.1 request is that the client *may*  
implement the now mandatory to implement authentication schemes. That  
seems a bit thin a gain compared to the current situation, e.g. the  
server can assume that the client *may* implement basic and digest.

//Stefan
Received on Saturday, 4 November 2006 20:41:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT