W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Paul Leach <paulle@windows.microsoft.com>
Date: Sat, 4 Nov 2006 22:51:03 -0800
Message-ID: <76323E9F0A911944A4E9225FACFC55BA02B09693@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
CC: Robert Sayre <sayrer@gmail.com>, Henrik Nordstrom <hno@squid-cache.org>, HTTP Working Group <ietf-http-wg@w3.org>



-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
On Behalf Of William A. Rowe, Jr.
Sent: Sunday, November 05, 2006 1:22 AM
To: Paul Leach
Cc: Robert Sayre; Henrik Nordstrom; HTTP Working Group
Subject: Re: security requirements (was: Updating RFC 2617 (HTTP Digest)
to use UTF-8)


Paul Leach wrote:
> 
> That's because making a protocol feature mandatory-to-implement does
NOT
> make it mandatory to configure. Hence, for example, one could not
> deduce, from either an HTTP/1.1 or a new HTTP/1.2 sent by a client,
that
> a server can send Basic or Digest challenge and be assured that it
will
> be understood by the client.

Not if they implemented an RFC 2616 client.
[Paul Leach] Why do you think that? 2616 says that authentication is
OPTIONAL:

11 Access Authentication

   HTTP provides several OPTIONAL challenge-response authentication
   mechanisms which can be used by a server to challenge a client
   request and by a client to provide authentication information. The
   general framework for access authentication, and the specification of
   "basic" and "digest" authentication, are specified in "HTTP
   Authentication: Basic and Digest Access Authentication" [43]. This
   specification adopts the definitions of "challenge" and "credentials"
   from that specification.
Received on Sunday, 5 November 2006 06:51:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT