Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

On Oct 17, 2006, at 5:38 PM, Robert Sayre wrote:
> Does anyone think mandatory-to-implement authentication schemes or
> transport-layer security mechanisms will be helpful and realistic?

Not without changing the HTTP version number, but I suppose that
I shouldn't assume that is obvious.  HTTP/1.1 has already been
deployed and I have no interest in declaring any of those
implementations broken just because they failed to anticipate a
not-yet-specified secure auth mechanism.  That ship has sailed.

So, if anyone thinks that a secure authentication scheme is a cool
thing, they should propose one and eventually update RFC 2617 to
include it, at which point it will be an OPTIONAL secure auth
mechanism for HTTP/1.1 (without any need to change RFC 2616).
The only way to make it a REQUIRED secure auth mechanism for HTTP
is to move on to HTTP/1.2, at which point we open the flood gates.


Received on Wednesday, 18 October 2006 02:30:37 UTC