W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: <lists@ingostruck.de>
Date: Sat, 4 Nov 2006 22:14:16 +0000
To: "Robert Sayre" <sayrer@gmail.com>, Lisa Dusseault <lisa@osafoundation.org>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <200611042214.18684.lists@ingostruck.de>

Lisa, Robert,

> > "An HTTP client MUST NOT send a version for which it is not at least
> > conditionally compliant.'
>
> Sorry, that's from RFC 2145. The send button was clicked a bit early. :)
>
> In any case, the requirements and semantics of HTTP version numbers
> seem clear as a bell to me. I don't see any interpretation that allows
> something as radical as the addition of a mandatory security mechanism
> without incrementing the version number.
Agreed -- just like indicated in my email from 2006-10-18:
there is no reasonable way to add mandatory requirements
without changing version numbers or breaking conformance
of existing implementations (regardless whether server or client).
imho to drop to require broken legacy stuff (basic auth) seems
feasible, to add to require the impl of any mandatory auth scheme
seems not.
Moreover I would consider the introduction of such a requirement
a regression due to the existence of applications with 
"legitimately anonymous" usage of http (see my aforementioned mail
to the wg list).

Kind regards

Ingo Struck
Received on Saturday, 4 November 2006 21:11:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT