- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 05 Nov 2006 19:59:38 +0100
- To: lists@ingostruck.de
- CC: Robert Sayre <sayrer@gmail.com>, Lisa Dusseault <lisa@osafoundation.org>, HTTP Working Group <ietf-http-wg@w3.org>
lists@ingostruck.de schrieb: > Lisa, Robert, > >>> "An HTTP client MUST NOT send a version for which it is not at least >>> conditionally compliant.' >> Sorry, that's from RFC 2145. The send button was clicked a bit early. :) >> >> In any case, the requirements and semantics of HTTP version numbers >> seem clear as a bell to me. I don't see any interpretation that allows >> something as radical as the addition of a mandatory security mechanism >> without incrementing the version number. > Agreed -- just like indicated in my email from 2006-10-18: > there is no reasonable way to add mandatory requirements > without changing version numbers or breaking conformance > of existing implementations (regardless whether server or client). ...unless it could be demonstrated that in practice all implementation already are compliant to that new requirement (which I doubt is going to happen :-). > imho to drop to require broken legacy stuff (basic auth) seems > feasible, to add to require the impl of any mandatory auth scheme > seems not. Yep. HTTP/1.1 is widely deployed. Changing the mandatory requirements so that existing compliant implementations become non-compliant just doesn't compute. > ... Best regards, Julian
Received on Sunday, 5 November 2006 19:06:24 UTC