Re: security requirements schrieb:
> Lisa, Robert,
>>> "An HTTP client MUST NOT send a version for which it is not at least
>>> conditionally compliant.'
>> Sorry, that's from RFC 2145. The send button was clicked a bit early. :)
>> In any case, the requirements and semantics of HTTP version numbers
>> seem clear as a bell to me. I don't see any interpretation that allows
>> something as radical as the addition of a mandatory security mechanism
>> without incrementing the version number.
> Agreed -- just like indicated in my email from 2006-10-18:
> there is no reasonable way to add mandatory requirements
> without changing version numbers or breaking conformance
> of existing implementations (regardless whether server or client).

...unless it could be demonstrated that in practice all implementation 
already are compliant to that new requirement (which I doubt is going to 
happen :-).

> imho to drop to require broken legacy stuff (basic auth) seems
> feasible, to add to require the impl of any mandatory auth scheme
> seems not.


HTTP/1.1 is widely deployed. Changing the mandatory requirements so that 
existing compliant implementations become non-compliant just doesn't 

 > ...

Best regards, Julian

Received on Sunday, 5 November 2006 19:06:24 UTC