- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Wed, 18 Oct 2006 07:47:44 +0000
- To: Robert Collins <robertc@robertcollins.net>, Robert Sayre <sayrer@gmail.com>
- CC: Bjoern Hoehrmann <derhoermi@gmx.net>, HTTP Working Group <ietf-http-wg@w3.org>
Roy was right -- it's too late to make anything MTI in HTTP/1.1. So, the question has to be whether it would make sense to make something MTI in HTTP/1.2 Or, if we made a replacement for 2617, which offered several alternative auth mechanisms, we could say that anyone who wanted to be compliant with it had to implement one or more of said mechanisms. -----Original Message----- From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Robert Collins Sent: Tuesday, October 17, 2006 9:35 PM To: Robert Sayre Cc: Bjoern Hoehrmann; HTTP Working Group Subject: Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8) On Tue, 2006-10-17 at 20:38 -0400, Robert Sayre wrote: > > Does anyone think mandatory-to-implement authentication schemes or > transport-layer security mechanisms will be helpful and realistic? No: Lots of folk started offering HTTP/1.1 in their version line long before they were even vaguely conformant, and new implementations still show up with plenty of bugs (we ran into one just this month in fact). I think that most existing implementations would just ignore it. -Rob -- GPG key available at: <http://www.robertcollins.net/keys.txt>.
Received on Wednesday, 18 October 2006 08:22:09 UTC