Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)


On Thursday 19 October 2006 00:08, you wrote:
> It certainly won't be enabled by default, nor would I encourage  
> such a config in a production environment, and I wouldn't put it in  
> an admin UI.
That was the point of my admittedly drastic proposal -- 
to strongly disencourage the usage of this sort of things.

> For what it's worth, as a client author I'd have a somewhat  
> different viewpoint here.  But as a server author,
Keep in mind that "as a server author" you have
to make best efforts to safeguard the needs of
your clients and the users thereof -- if you offer
something they use credulously without realizing
the negative impacts of using it you could be held
liable for that, at least your users could accuse you
of wanton negligence...
(My personal opinion, you might have a different position).

Kind regards

Ingo Struck

Received on Thursday, 19 October 2006 21:27:53 UTC