W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Justin Erenkrantz <justin@erenkrantz.com>
Date: Thu, 7 Jun 2007 10:57:23 -0700
Message-ID: <5c902b9e0706071057y5ad331acwc07439c50b08cc07@mail.gmail.com>
To: "Paul Hoffman" <phoffman@imc.org>
Cc: "Keith Moore" <moore@cs.utk.edu>, "Apps Discuss" <discuss@apps.ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

On 6/7/07, Paul Hoffman <phoffman@imc.org> wrote:
>
> At 12:09 PM -0400 6/7/07, Keith Moore wrote:
> >2617 doesn't need clarification, it needs to be deprecated and replaced
> >with not only different schemes but an entirely different framework.
>
> We need to deal with the real world. In the real world, Basic and
> Digest Auth are used. In the real world, the better replacement for
> them is not deployed. It is fine for us to say "please stop doing
> that, use this instead", but it is myopic and unhelpful to deprecate
> something that is in widespread use.

Right - the IETF can wave a magic wand here, but it won't help as
deploying new versions of the servers and the clients take years.

Furthermore, my understanding is that IESG now requires all new
protocols to always be secure.  I think that *mandating* that we use
SSL (or some similar connection-oriented security mechanism) for *all*
Web traffic is going to kill everyone.  As long as authentication
remains optional, I'm okay - but if it's mandatory or required to be
the default behavior, I very likely won't support implementation of
such a short-sighted standard.  -- justin
Received on Thursday, 7 June 2007 17:57:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT