- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Fri, 20 Oct 2006 02:04:59 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
I don't think the IETF bashing is warranted. They made a mistake in not requiring us to specify an MTI security mechanism in 2617 (and in having 2616 require that a conformant implementation support 2617). There was no tacit agreement by some "in-crowd" that we didn't have to live by the rules. As I indicated in an earlier post, perhaps it was the prevalence of legitimate anonymous access with HTTP that caused this oversight. Given the to-do raised by Mr. Sayre recently, I doubt that anyone doing HTTP/1.2 will have to worry about (or could count on) a similar oversight :-) Historically, the rules evolved because for a long time most protocol designers totally ignored security -- throwing in plain-text passwords at best. Hence the requirement to have non-plaintext-password authentication, and security considerations sections. The notion of MTI actually is totally independent of security -- it is a general principle of protocol design for any protocol that has options, in order to guarantee that conforming implementations can always be configured to interoperate. (This was in reaction to the ISO protocol mess with non-interoperable "profiles" of the 1980's.)
Received on Friday, 20 October 2006 09:04:55 UTC