W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 05 Nov 2006 19:59:38 +0100
Message-ID: <454E349A.1030005@gmx.de>
To: lists@ingostruck.de
CC: Robert Sayre <sayrer@gmail.com>, Lisa Dusseault <lisa@osafoundation.org>, HTTP Working Group <ietf-http-wg@w3.org>

lists@ingostruck.de schrieb:
> Lisa, Robert,
> 
>>> "An HTTP client MUST NOT send a version for which it is not at least
>>> conditionally compliant.'
>> Sorry, that's from RFC 2145. The send button was clicked a bit early. :)
>>
>> In any case, the requirements and semantics of HTTP version numbers
>> seem clear as a bell to me. I don't see any interpretation that allows
>> something as radical as the addition of a mandatory security mechanism
>> without incrementing the version number.
> Agreed -- just like indicated in my email from 2006-10-18:
> there is no reasonable way to add mandatory requirements
> without changing version numbers or breaking conformance
> of existing implementations (regardless whether server or client).

...unless it could be demonstrated that in practice all implementation 
already are compliant to that new requirement (which I doubt is going to 
happen :-).

> imho to drop to require broken legacy stuff (basic auth) seems
> feasible, to add to require the impl of any mandatory auth scheme
> seems not.

Yep.

HTTP/1.1 is widely deployed. Changing the mandatory requirements so that 
existing compliant implementations become non-compliant just doesn't 
compute.

 > ...

Best regards, Julian
Received on Sunday, 5 November 2006 19:06:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT