W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WGLC issue for p7: "strength"

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 24 Mar 2012 12:51:45 +1300
Message-ID: <4F6D0C91.2070604@treenet.co.nz>
To: ietf-http-wg@w3.org
On 24/03/2012 12:27 p.m., Martin Thomson wrote:
>>> And maybe the use of MUST is not appropriate here.
>> That's what I was thinking too.
> Saying nothing works.  "The user agent MUST select one auth-scheme
> that it understands..."
>
> Or you remove the MUST altogether, there's nothing saying that a user
> agent couldn't just go off and make a cup of tea when it encounters an
> WWW-Authenticate.
>
> "The user agent selects one challenge that it can use..."
>

Was not the reasoning behind that MUST to prevent mishaps like IE6 
selecting the first presented option even if it was the worst security-wise?

I would think this is a case for the auth scheme specifictions to ouline 
which alternative schemes they are stronger/weaker than, and in what ways.
It does not really matter to HTTP which scheme is selected, only that 
any security resulting is the best available.

AYJ
Received on Friday, 23 March 2012 23:52:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT