- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Fri, 20 Oct 2006 11:10:38 -0700
- To: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
I don't get it. An application of HTTP could certainly say that a conforming implementation has to be based on an implementation of HTTP that supports Digest (for example). That should satisfy the MTI rule, wouldn't it? This doesn't seem that hard, once the rules and the motivation for them are understood. Or, a new auth mechanism for HTTP could be created, and then the application could make that mechanism mandatory. The downside would be that not many conforming implementations would initially exist until the new mechanism was widely deployed, but if the new mechanism had enough value, then the fact that it was MTI for valuable HTTP application would hasten its deployment. -----Original Message----- From: Julian Reschke [mailto:julian.reschke@gmx.de] Sent: Friday, October 20, 2006 3:11 AM To: HTTP Working Group Cc: Paul Leach Subject: Re: security requirements But Robert's complaint was triggered by the IESG asking for that kind of security mechanism for specs that just happen to *use* HTTP, such as AtomPub, CalDAV or XCAP. Those are applications of HTTP, not new protocols. Best regards, Julian
Received on Friday, 20 October 2006 18:08:52 UTC