- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Wed, 18 Oct 2006 02:43:44 +0000
- To: Robert Sayre <sayrer@gmail.com>, Lisa Dusseault <lisa@osafoundation.org>
- CC: Julian Reschke <julian.reschke@gmx.de>, <lists@ingostruck.de>, Larry Masinter <masinter@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
One could argue that because so much of HTTP access is legitimately anonymous, it should be OK for a conforming implementation to not have to implement Basic or Digest. However, that doesn't mean that we couldn't spec it such that IF one or more authentication mechanisms are implemented, that set must include XXX (where XXX is the defined mandatory-to-implement auth mech). I believe that MTI is a good idea, for the case where there is more than one reasonable choice, in order to guarantee that all implementations can be configured to interop. -----Original Message----- From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Robert Sayre Sent: Tuesday, October 17, 2006 4:28 PM To: Lisa Dusseault Cc: Julian Reschke; lists@ingostruck.de; Larry Masinter; HTTP Working Group Subject: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8) On 10/17/06, Lisa Dusseault <lisa@osafoundation.org> wrote: > > Since there are so many ways to approach this, so many variations in > what specs are revised and how they depend upon each other, I can't > say whether I, or the IESG, expect a revision to RFC2616 to "step > into" the area covered by RFC2617. Perhaps we should poll the HTTP community as a start. Does anyone think mandatory-to-implement security mechanisms will be helpful and realistic? -- Robert Sayre
Received on Wednesday, 18 October 2006 07:14:52 UTC