W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Paul Leach <paulle@windows.microsoft.com>
Date: Wed, 18 Oct 2006 07:47:44 +0000
Message-ID: <76323E9F0A911944A4E9225FACFC55BA02784E2B@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: Robert Collins <robertc@robertcollins.net>, Robert Sayre <sayrer@gmail.com>
CC: Bjoern Hoehrmann <derhoermi@gmx.net>, HTTP Working Group <ietf-http-wg@w3.org>

Roy was right -- it's too late to make anything MTI in HTTP/1.1.

So, the question has to be whether it would make sense to make something
MTI in HTTP/1.2

Or, if we made a replacement for 2617, which offered several alternative
auth mechanisms, we could say that anyone who wanted to be compliant
with it had to implement one or more of said mechanisms. 

-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
On Behalf Of Robert Collins
Sent: Tuesday, October 17, 2006 9:35 PM
To: Robert Sayre
Cc: Bjoern Hoehrmann; HTTP Working Group
Subject: Re: security requirements (was: Updating RFC 2617 (HTTP Digest)
to use UTF-8)

On Tue, 2006-10-17 at 20:38 -0400, Robert Sayre wrote:
> Does anyone think mandatory-to-implement authentication schemes or 
> transport-layer security mechanisms will be helpful and realistic?

No: Lots of folk started offering HTTP/1.1 in their version line long
before they were even vaguely conformant, and new implementations still
show up with plenty of bugs (we ran into one just this month in fact).

I think that most existing implementations would just ignore it.

GPG key available at: <http://www.robertcollins.net/keys.txt>.
Received on Wednesday, 18 October 2006 08:22:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:40 UTC