- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Sat, 4 Nov 2006 13:13:41 -0800
- To: Robert Sayre <sayrer@gmail.com>, Henrik Nordstrom <hno@squid-cache.org>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
Making one or both of the existing auth protocols mandatory-to-implement does not change the protocol at all, so no version number change is necessary. That's because making a protocol feature mandatory-to-implement does NOT make it mandatory to configure. Hence, for example, one could not deduce, from either an HTTP/1.1 or a new HTTP/1.2 sent by a client, that a server can send Basic or Digest challenge and be assured that it will be understood by the client. -----Original Message----- From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Robert Sayre Sent: Saturday, November 04, 2006 3:17 PM [Paul Leach] snip In any case, the requirements and semantics of HTTP version numbers seem clear as a bell to me. I don't see any interpretation that allows something as radical as the addition of a mandatory security mechanism without incrementing the version number. -- Robert Sayre
Received on Saturday, 4 November 2006 21:14:35 UTC