- From: Roy T. Fielding <fielding@kiwi.ics.uci.edu>
- Date: Wed, 17 Dec 1997 10:48:03 -0800
- To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Well, it's nice to know that people who want Digest are still listening.
There are two reasons why I am pushing all the buttons in this thread.
1) People seem to be bandying about suggested changes to Digest
without consideration for how those changes will affect
deployment. If you change the entity-digest specification,
is the recipient of the Digest supposed to decode it using the
rules in RFC 2069 or RFC HTTPAA-eventually? How is the recipient
going to tell the difference between them? Or should we just assume
that everyone will instantly update their applications as soon as
the new RFC is published (just as they didn't do for the last RFC)?
HTTP/1.1 was designed for deployment. What is the deployment
design for Digest mkIII? How do we get implementers to include
it in their *current* products?
2) The current draft, <draft-ietf-http-authentication-00>, is
a pile of fresh manure. The text format is mangled, it fails
to define the general HTTP authentication header fields and
responses, mis-defines WWW-Authenticate and Authorization as
Digest-only fields, mixes HTTP-BNF and pseudo-math at random
and without distinction, and needs a complete reorganization
before anyone can be sensibly expected to give it a serious
technical review.
If at least one of the seven authors currently listed on the draft
will step up to the plate and start editing, then maybe Digest can
be resurrected. I suggest the authors discuss this amongst themselves
and have a clean draft submitted by mid-January.
If not, then either Basic AA will move back into the main spec and
Digest will be dropped, or I'll do the edit myself according to what
is actually implemented. [Believe me, none of us want this to happen].
....Roy
Received on Wednesday, 17 December 1997 11:26:13 UTC