Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

lör 2006-11-04 klockan 10:47 -0800 skrev Lisa Dusseault:

> So I guess a decision that CLIENTS MUST support Basic and Digest in a  
> new HTTP RFC, might be signalled by a minor version bump.

I too don't see thy a version bump would even be remotely needed in this
case. It's already the server who dictates which authentication
protocols is acceptable to the server, the client just selects what it
thinks is best among the available choices. If there is no match
communication is not possible, such as would be the case for a resource
requiring strong secure authentication.

The change to require support for strong authentication is not a
technical change, it's a administrative policy change. The protocol
isn't changed by this, only how the protocol may be applied.

HTTP version numbers do have an implicit defined meaning:

 - Minor numbers signify a change in transport related features, but
keeping the basic message format and meanings of headers intact.

 - Major numbers signify a change in message format, incompatible with
earlier versions. For example if the header format is changed, or if
already well defined headers is redefined to another meaning.

Also remember that HTTP message numbers are hop-by-hop, while most
headers describing capabilities such as authentication requirements is
end-to-end.

Regards
enrik

Received on Saturday, 4 November 2006 19:44:49 UTC