W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Sun, 5 Nov 2006 13:23:23 -0800
Message-Id: <14E1DF64-1DA0-4668-A84D-54FE665D9681@osafoundation.org>
Cc: Robert Sayre <sayrer@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
To: Henrik Nordstrom <hno@squid-cache.org>


On Nov 4, 2006, at 2:42 PM, Henrik Nordstrom wrote:

> lör 2006-11-04 klockan 17:27 -0500 skrev Robert Sayre:
>> On 11/4/06, Henrik Nordstrom <hno@squid-cache.org> wrote:
>>> lör 2006-11-04 klockan 17:07 -0500 skrev Robert Sayre:
>>>
>>>> A new RFC can make a header mandatory for RFCNNNN compliance,  
>>>> but not
>>>> HTTP/1.1 compliance.
>>>
>>> Exacly what I said.
>>
>> OK. Then I submit that such an RFC cannot claim to define HTTP/1.1.
>
> Agreed. It's at most an standards track extension to HTTP/1.1.

Slight disagreement here: if RFCNNNN obsoleted RFC2616, without  
bumping the version number, it had better be backwards compatible --  
but it is more than a standards track extension to HTTP/1.1, it  
becomes the new best definition of HTTP/1.1.

>
> Also for the record I am against that implementation of strong
> authentication should be mandatory for HTTP protocol compliance.
>
> A requirement of implementation of a well defined strong  
> authentication
> scheme IF authentication is implemented is fine however.

That's not a bad start.  The next thing to think about is to ask in  
what cases authentication implementation IS required.  I certainly  
agree with those who've said that authentication isn't necessary in  
some uses of HTTP.

Lisa
Received on Sunday, 5 November 2006 21:23:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT