- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 17 Oct 2006 23:02:53 +0200
- To: Lisa Dusseault <lisa@osafoundation.org>
- CC: Robert Sayre <sayrer@gmail.com>, lists@ingostruck.de, Larry Masinter <masinter@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Lisa Dusseault schrieb: > > I would expect that any new Proposed Standard RFC would have to take > into account the heightened expectations around mandatory-to-implement > security technologies. Updates to previous RFCs would not necessarily > be immune to that. I believe it's very important to clarify what HTTP > clients and servers do need to support to provide adequate security for > modern applications -- HTTP is hardly immune to attacks, and > authentication technology is one of the failing pieces here which allows > those attacks. See for example the discussion at the Web Authentication > Enhancements BoF at the last IETF > <http://www3.ietf.org/proceedings/06jul/index.html>. Well, if the IESG expects a revision to RFC2616 to step into the area covered by RFC2617, then I must agree with Robert that it's probably not worth trying, and that less harm is done by sticking to whatever RFC2616 is saying today. Best regards, Julian
Received on Tuesday, 17 October 2006 21:03:01 UTC