Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8) from Roy T. Fielding on 2006-10-18 (ietf-http-wg@w3.org from October to December 2006)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 17 Oct 2006 19:30:47 -0700
To: Robert Sayre <sayrer@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <A89F770B-1E71-44C1-AFD0-87EE1757B494@gbiv.com>

On Oct 17, 2006, at 5:38 PM, Robert Sayre wrote:
> Does anyone think mandatory-to-implement authentication schemes or
> transport-layer security mechanisms will be helpful and realistic?

Not without changing the HTTP version number, but I suppose that
I shouldn't assume that is obvious.  HTTP/1.1 has already been
deployed and I have no interest in declaring any of those
implementations broken just because they failed to anticipate a
not-yet-specified secure auth mechanism.  That ship has sailed.

So, if anyone thinks that a secure authentication scheme is a cool
thing, they should propose one and eventually update RFC 2617 to
include it, at which point it will be an OPTIONAL secure auth
mechanism for HTTP/1.1 (without any need to change RFC 2616).
The only way to make it a REQUIRED secure auth mechanism for HTTP
is to move on to HTTP/1.2, at which point we open the flood gates.

....Roy

Received on Wednesday, 18 October 2006 02:30:37 UTC