- From: Cyrus Daboo <cyrus@daboo.name>
- Date: Thu, 31 May 2007 09:42:22 -0400
- To: Robert Sayre <sayrer@gmail.com>, Mark Nottingham <mnot@mnot.net>
- cc: Larry Masinter <LMM@acm.org>, Eliot Lear <lear@cisco.com>, Julian Reschke <julian.reschke@gmx.de>, Paul Hoffman <phoffman@imc.org>, Apps Discuss <discuss@apps.ietf.org>, ietf-http-wg@w3.org
Hi Robert, --On May 31, 2007 1:28:39 AM -0400 Robert Sayre <sayrer@gmail.com> wrote: > My feeling is that the current schemes can be updated by documenting > the internationalization behavior of popular implementations, but > nothing else is worth doing. I disagree. I think we need to go a lot further. My suggestion would be to throw away 2617 as-is, and instead do something more akin to the SASL document set, i.e. a "framework" document describing the general issues of http authentication that lays out the ground-work for the existing http-based auth schemes, plus documents other auth schemes in use (form-based, cookie-based etc). We then have separate documents for each of the http-based schemes basic and digest - and we should add Kerberos/SPNEGO to that too. Having those as separate documents will make updates in the future an easier process. If we want to document other types in more detail (as proposed or informational) that could be done too. I would also like to see the "webmail" (proxying credentials though a web-app to some back end service) issue dealt with too - ideally with the Kerberos mechanism as a basis (and others too that make sense). I think all that is a lot more work than just a quick rev of 2617. Given that it involves a lot of security there will be a need to have the direct participation of the Security area folks. They are less likely to be interested in the minutiae of 2616bis though. So I think separate working groups would be better because of the different cross-area participation requirements. -- Cyrus Daboo
Received on Thursday, 31 May 2007 13:42:58 UTC