- From: <lists@ingostruck.de>
- Date: Sat, 4 Nov 2006 22:14:16 +0000
- To: "Robert Sayre" <sayrer@gmail.com>, Lisa Dusseault <lisa@osafoundation.org>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Lisa, Robert, > > "An HTTP client MUST NOT send a version for which it is not at least > > conditionally compliant.' > > Sorry, that's from RFC 2145. The send button was clicked a bit early. :) > > In any case, the requirements and semantics of HTTP version numbers > seem clear as a bell to me. I don't see any interpretation that allows > something as radical as the addition of a mandatory security mechanism > without incrementing the version number. Agreed -- just like indicated in my email from 2006-10-18: there is no reasonable way to add mandatory requirements without changing version numbers or breaking conformance of existing implementations (regardless whether server or client). imho to drop to require broken legacy stuff (basic auth) seems feasible, to add to require the impl of any mandatory auth scheme seems not. Moreover I would consider the introduction of such a requirement a regression due to the existence of applications with "legitimately anonymous" usage of http (see my aforementioned mail to the wg list). Kind regards Ingo Struck
Received on Saturday, 4 November 2006 21:11:07 UTC