Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

lör 2006-11-04 klockan 14:59 -0500 skrev Robert Sayre:

> An HTTP/1.1 message is not a guarantee that the sender supports any
> authentication mechanism. Servers receiving a hypothetical HTTP/1.2
> message could make that assumption.

Neither is a HTTP/1.2 message as it says nothing about what protocol
version the client supports, only the protocol version of the last hop.

Attacking this via protocol version numbers is not the correct approach.
It's done by advertising the support in a header which is the only
end-to-end concept there is in HTTP.

Making the use of a new header mandatory does not require a new protocol
version, just a new standard strack RFC defining the header as

Bumping the protocol version simplifies compliance specifications as it
becomes sufficient to say one is compliant with HTTP/X.Y instead of a
list of RFCs.

Any major changes in the protocol such as moving away from being a
message based protocol to being a connection oriented protocol would
require a major version bump.

Any change in message format on the hop-by-hop level such as the
introduction of something on the same level a Connect header or a
another transfer-encoding model would require a minor version bump. So
does changing the requirements on how trailers may be used to a must.


Received on Saturday, 4 November 2006 21:58:53 UTC