- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Fri, 20 Oct 2006 10:59:11 -0700
- To: Robert Sayre <sayrer@gmail.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
IMO, the biggest threat is that vendors ship implementations that simply _can't_ be configured to interoperate. The MTI rule tries to prevent that. The only "enforcement" mechanism is that vendors can't morally claim conformance unless they obey. Once an implementation is in customers' hands, there's nothing to prevent them from configuring it so that it doesn't interoperate. That's essentially what is behind the threat of which you speak, and I don't see any technical solution. However, availability of an acceptable MTI mechanism at least means that such customers have no excuse for non-interoperability. That's why I think the MTI rule addresses the more fundamental threat. -----Original Message----- From: Robert Sayre [mailto:sayrer@gmail.com] Subject: Re: security requirements But since the rules concern implementations rather than deployments, MTI doesn't prevent the actual threat to HTTP interoperability: centralized authentication services. It's a backwards rule intended for companies shipping routers and floppy discs. Web applications can route around it. -- Robert Sayre
Received on Friday, 20 October 2006 17:58:21 UTC