W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: Keith Moore <moore@cs.utk.edu>
Date: Thu, 07 Jun 2007 18:11:53 -0400
Message-ID: <466882A9.5010303@cs.utk.edu>
To: Julian Reschke <julian.reschke@gmx.de>
CC: Paul Hoffman <phoffman@imc.org>, Apps Discuss <discuss@apps.ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

Julian Reschke wrote:
> Keith Moore wrote:
>> no.  deprecate 2617.  deprecate the framework that is in 2616.  HTTP
>> security needs a clean slate approach.
>
> I personally have no problem with this. In the wild, most
> authentication isn't using RFC2617 anyway.
>
> However, my understanding is that the IESG doesn't allow RFC2616bis
> not to discuss authentication in *some* manner.
I'm certain that there will have to be a good answer to the
authentication question before 2616bis will be allowed to get any kind
of standardization status.  (it could probably be in a separate document).
> BTW: does the framework really require fixing?
I am pretty sure that it does.  I think sites will continue to insist on
being in control of the look and feel of the username/password dialog. 
I also think that the phishing concerns have to be dealt with.  The two
of these together make for an interesting set of constraints.

Keith
Received on Thursday, 7 June 2007 22:12:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT