- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Sat, 4 Nov 2006 22:51:03 -0800
- To: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
- CC: Robert Sayre <sayrer@gmail.com>, Henrik Nordstrom <hno@squid-cache.org>, HTTP Working Group <ietf-http-wg@w3.org>
-----Original Message----- From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of William A. Rowe, Jr. Sent: Sunday, November 05, 2006 1:22 AM To: Paul Leach Cc: Robert Sayre; Henrik Nordstrom; HTTP Working Group Subject: Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8) Paul Leach wrote: > > That's because making a protocol feature mandatory-to-implement does NOT > make it mandatory to configure. Hence, for example, one could not > deduce, from either an HTTP/1.1 or a new HTTP/1.2 sent by a client, that > a server can send Basic or Digest challenge and be assured that it will > be understood by the client. Not if they implemented an RFC 2616 client. [Paul Leach] Why do you think that? 2616 says that authentication is OPTIONAL: 11 Access Authentication HTTP provides several OPTIONAL challenge-response authentication mechanisms which can be used by a server to challenge a client request and by a client to provide authentication information. The general framework for access authentication, and the specification of "basic" and "digest" authentication, are specified in "HTTP Authentication: Basic and Digest Access Authentication" [43]. This specification adopts the definitions of "challenge" and "credentials" from that specification.
Received on Sunday, 5 November 2006 06:51:46 UTC