RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

Roy was right -- it's too late to make anything MTI in HTTP/1.1.

So, the question has to be whether it would make sense to make something
MTI in HTTP/1.2

Or, if we made a replacement for 2617, which offered several alternative
auth mechanisms, we could say that anyone who wanted to be compliant
with it had to implement one or more of said mechanisms. 

-----Original Message-----
From: []
On Behalf Of Robert Collins
Sent: Tuesday, October 17, 2006 9:35 PM
To: Robert Sayre
Cc: Bjoern Hoehrmann; HTTP Working Group
Subject: Re: security requirements (was: Updating RFC 2617 (HTTP Digest)
to use UTF-8)

On Tue, 2006-10-17 at 20:38 -0400, Robert Sayre wrote:
> Does anyone think mandatory-to-implement authentication schemes or 
> transport-layer security mechanisms will be helpful and realistic?

No: Lots of folk started offering HTTP/1.1 in their version line long
before they were even vaguely conformant, and new implementations still
show up with plenty of bugs (we ran into one just this month in fact).

I think that most existing implementations would just ignore it.

GPG key available at: <>.

Received on Wednesday, 18 October 2006 08:22:09 UTC