Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

* Robert Sayre wrote:
>Does anyone think mandatory-to-implement authentication schemes or
>transport-layer security mechanisms will be helpful and realistic?

That's still too broad. Should this be mandatory for servers, clients,
gateways, tunnels, proxies, protocols built on top of HTTP or their
clients or servers, application programming interfaces for any of these,
applications built on top of them, or maybe complex interactive user
agents, such as web browsers? Authentication what for? Access Control?
Logging? To what extend? Is an IP address a good enough identity? Or is
support for cookies good enough? Helpful in order to achieve what?

Should it be possible to make a software module that conforms to the
HTTP specification even though it does not implement any form of user
authentication or transport layer security? Yes, certainly. But that
does not imply that all software should be able to conform to it, or
derived specifications, without such support. There is a simple metric
here: a MUST-level requirement is reasonable only if you can argue that
any application to which the requirement applies is broken at a level
beyond "because the spec says it is", or in other words, only if it is
reasonable to expect any and all applications to meet the requirement,
assuming it applies to them.

There will typically be edge cases where you will have to decide that
it is better to use a SHOULD-level requirement, to encode the exceptions
as a condition for the MUST, or simply accept that some applications
will not conform to the specification, or that the specification does
not define conformance for that application at all. There are no hard
and fast rules here.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Wednesday, 18 October 2006 02:19:17 UTC