RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

One could argue that because so much of HTTP access is legitimately
anonymous, it should be OK for a conforming implementation to not have
to implement Basic or Digest. 

However, that doesn't mean that we couldn't spec it such that IF one or
more authentication mechanisms are implemented, that set must include
XXX (where XXX is the defined mandatory-to-implement auth mech).

I believe that MTI is a good idea, for the case where there is more than
one reasonable choice, in order to guarantee that all implementations
can be configured to interop.


-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
On Behalf Of Robert Sayre
Sent: Tuesday, October 17, 2006 4:28 PM
To: Lisa Dusseault
Cc: Julian Reschke; lists@ingostruck.de; Larry Masinter; HTTP Working
Group
Subject: security requirements (was: Updating RFC 2617 (HTTP Digest) to
use UTF-8)


On 10/17/06, Lisa Dusseault <lisa@osafoundation.org> wrote:
>
> Since there are so many ways to approach this, so many variations in
> what specs are revised and how they depend upon each other, I can't
> say whether I, or the IESG, expect a revision to RFC2616 to "step
> into" the area covered by RFC2617.

Perhaps we should poll the HTTP community as a start. Does anyone
think mandatory-to-implement security mechanisms will be helpful and
realistic?

-- 

Robert Sayre

Received on Wednesday, 18 October 2006 07:14:52 UTC