Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

On 11/4/06, Henrik Nordstrom <> wrote:
> lör 2006-11-04 klockan 10:47 -0800 skrev Lisa Dusseault:
> > So I guess a decision that CLIENTS MUST support Basic and Digest in a
> > new HTTP RFC, might be signalled by a minor version bump.
> I too don't see thy a version bump would even be remotely needed in this
> case. It's already the server who dictates which authentication
> protocols is acceptable to the server,

An HTTP/1.1 message is not a guarantee that the sender supports any
authentication mechanism. Servers receiving a hypothetical HTTP/1.2
message could make that assumption.

> HTTP version numbers do have an implicit defined meaning:

They have an explicit meaning. See RFC 2145. Additionally, RFC 2616
defines the term "conditional compliance".  RFC 2616 section 3 also
defines the term "conditional compliance", which is not compatible
with the addition of a MUST-level security mechanism.

"An HTTP client MUST NOT send a version for which it is not at least
conditionally compliant.'


Robert Sayre

Received on Saturday, 4 November 2006 19:59:34 UTC