Re: draft-ietf-httpbis-bcp56bis-11, "4.12. Client Authentication" from Mark Nottingham on 2021-04-19 (ietf-http-wg@w3.org from April to June 2021)

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 19 Apr 2021 17:30:52 +1000
To: "Julian F. Reschke" <julian.reschke@gmx.de>
Cc: ietf-http-wg@w3.org
Message-Id: <B7E4776C-D92D-4677-875F-07D086D72DAB@mnot.net>

For the scope of this specification (recommendations to IETF-defined standards that use HTTP), I think it is. 

What do others think?


> On 6 Apr 2021, at 2:39 am, Julian Reschke <julian.reschke@gmx.de> wrote:
> 
> "...The Basic authentication scheme [RFC7617] MUST NOT be used unless
> the underlying transport is authenticated, integrity-protected and
> confidential (e.g., as provided the "HTTPS" URI scheme, or another using
> TLS). ..."
> 
> This actually modifies a SHOULD-level requirement from RFC 7617 -- is
> that really the right thing to do here?
> 
> Best regards, Julian
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 19 April 2021 07:31:15 UTC