W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Paul Leach <paulle@windows.microsoft.com>
Date: Sat, 4 Nov 2006 13:13:41 -0800
Message-ID: <76323E9F0A911944A4E9225FACFC55BA02B0964E@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: Robert Sayre <sayrer@gmail.com>, Henrik Nordstrom <hno@squid-cache.org>
CC: HTTP Working Group <ietf-http-wg@w3.org>

Making one or both of the existing auth protocols mandatory-to-implement
does not change the protocol at all, so no version number change is
necessary.

That's because making a protocol feature mandatory-to-implement does NOT
make it mandatory to configure. Hence, for example, one could not
deduce, from either an HTTP/1.1 or a new HTTP/1.2 sent by a client, that
a server can send Basic or Digest challenge and be assured that it will
be understood by the client.

-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
On Behalf Of Robert Sayre
Sent: Saturday, November 04, 2006 3:17 PM


[Paul Leach] snip

In any case, the requirements and semantics of HTTP version numbers
seem clear as a bell to me. I don't see any interpretation that allows
something as radical as the addition of a mandatory security mechanism
without incrementing the version number.

-- 

Robert Sayre
Received on Saturday, 4 November 2006 21:14:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT