Re: [Ietf-http-auth] Updating RFC 2617 (HTTP Digest) to use UTF-8

Since there are so many ways to approach this, so many variations in  
what specs are revised and how they depend upon each other, I can't  
say whether I, or the IESG, expect a revision to RFC2616 to "step  
into" the area covered by RFC2617.  A BoF would be a great place to  
discuss what work needed to be done, how that work would be divided  
into drafts, how those drafts would depend on each other, and how  
security fits into the whole picture.  Then at least some of that  
would presumably make it into a charter, reviewed by the entire IETF,  
if a WG were approved.  Before and after a BoF, mailing list  
discussion here can cover the same questions usefully.  My opinions  
are by no means the only ones that matter.

Lisa

On Oct 17, 2006, at 2:02 PM, Julian Reschke wrote:

> Lisa Dusseault schrieb:
>> I would expect that any new Proposed Standard RFC would have to  
>> take into account the heightened expectations around mandatory-to- 
>> implement security technologies.  Updates to previous RFCs would  
>> not necessarily be immune to that.  I believe it's very important  
>> to clarify what HTTP clients and servers do need to support to  
>> provide adequate security for modern applications -- HTTP is  
>> hardly immune to attacks, and authentication technology is one of  
>> the failing pieces here which allows those attacks.  See for  
>> example the discussion at the Web Authentication Enhancements BoF  
>> at the last IETF <http://www3.ietf.org/proceedings/06jul/index.html>.
>
> Well, if the IESG expects a revision to RFC2616 to step into the  
> area covered by RFC2617, then I must agree with Robert that it's  
> probably not worth trying, and that less harm is done by sticking  
> to whatever RFC2616 is saying today.
>
> Best regards, Julian

Received on Tuesday, 17 October 2006 22:27:26 UTC