Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

Am 04.11.2006 um 21:16 schrieb Robert Sayre:

> On 11/4/06, Robert Sayre <> wrote:
>> "An HTTP client MUST NOT send a version for which it is not at least
>> conditionally compliant.'
> Sorry, that's from RFC 2145. The send button was clicked a bit  
> early. :)
> In any case, the requirements and semantics of HTTP version numbers
> seem clear as a bell to me. I don't see any interpretation that allows
> something as radical as the addition of a mandatory security mechanism
> without incrementing the version number.


And besides, I fail to see what shall be accomplished here. I get the  
feeling that people think that waving the magic wand of specification  
revisions will instantaneously change the world around them. It will  

If the spec would be changed in this way, all a reasonable server  
could deduce from a HTTP/1.1 request is that the client *may*  
implement the now mandatory to implement authentication schemes. That  
seems a bit thin a gain compared to the current situation, e.g. the  
server can assume that the client *may* implement basic and digest.


Received on Saturday, 4 November 2006 20:41:47 UTC