W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Paul Leach <paulle@windows.microsoft.com>
Date: Sat, 4 Nov 2006 20:10:09 -0800
Message-ID: <76323E9F0A911944A4E9225FACFC55BA02B09686@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: Robert Sayre <sayrer@gmail.com>
CC: Henrik Nordstrom <hno@squid-cache.org>, HTTP Working Group <ietf-http-wg@w3.org>

-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
On Behalf Of Robert Sayre

On 11/4/06, Paul Leach <paulle@windows.microsoft.com> wrote:
> It's what those words mean.

With no malice, I don't think you have good understanding of how the
IESG interprets "mandatory-to-implement".
[Paul Leach] I believe I do. I've been through this a couple times
before with other RFCs.

Let's say Basic becomes[Paul Leach] mandatory-to-implement. That means
FooCorp could not distribute a
FooCorp-branded client that has no way to be configured for Basic
authentication and claim HTTP conformance.
[Paul Leach] That's correct. But it can be compliant and be _configured_
to _not_ use Basic, as long as it can also be configured _to_ use Basic
-- i.e., as long as it implements Basic. That's the difference between
MUST and a "mandatory-to-implement" option.

Which is pretty silly given that proprietary Web server applications
exist only as deployed--there is no separate "implementation".
[Paul Leach] I don't understand the above sentence.
Received on Sunday, 5 November 2006 04:10:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:40 UTC