Re: security requirements

On 10/20/06, Paul Leach <> wrote:
> IMO, the biggest threat is that vendors ship implementations that simply
> _can't_ be configured to interoperate.

Right, that's the conventional wisdom. Experience with HTTP shows that
server deployments drive clients to support as many HTTP security
mechanisms as they can. Undocumented mechanisms have been a problem.

HTTP security now takes place via forms, cookies, redirects, and
rubber bands. I think the IETF should create a bunch of new mechanisms
and see which one wins. Maybe there will be something to require in

> I don't see any technical solution.



Robert Sayre

Received on Friday, 20 October 2006 18:12:39 UTC