W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Sat, 04 Nov 2006 14:41:55 -0600
Message-ID: <454CFB13.2080402@rowe-clan.net>
To: Lisa Dusseault <lisa@osafoundation.org>
CC: "Roy T. Fielding" <fielding@gbiv.com>, Robert Sayre <sayrer@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>

Lisa Dusseault wrote:
> 
> So I guess a decision that CLIENTS MUST support Basic and Digest in a
> new HTTP RFC, might be signalled by a minor version bump.[...]

> But a decision that SERVERS MUST support Basic and Digest -- well that
> doesn't need a version bump at all to work.  We already have a way for
> servers to advertise support insofar as that's necessary for those
> algorithms.

This doesn't parse - it would immediately break a massive number of web
applications, much as microsoft recently did in the IE client 'security'
patches through their re-POST of failed POST requests sans-request-body.
Requirements even on the server side can't realistically be altered
within the confines of HTTP/1.0 /1.1.

The only answer is to remove Basic for HTTP/1.2 or /2.0 in the future
revision of the spec as a fundamentally broken mechanism, much as the
HTTP/1.1 spec introduced manditory Host headers to force all browsers
over to mass vhosting by-name.

Bill
Received on Saturday, 4 November 2006 20:42:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT