Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

On Nov 4, 2006, at 2:42 PM, Henrik Nordstrom wrote:

> lör 2006-11-04 klockan 17:27 -0500 skrev Robert Sayre:
>> On 11/4/06, Henrik Nordstrom <> wrote:
>>> lör 2006-11-04 klockan 17:07 -0500 skrev Robert Sayre:
>>>> A new RFC can make a header mandatory for RFCNNNN compliance,  
>>>> but not
>>>> HTTP/1.1 compliance.
>>> Exacly what I said.
>> OK. Then I submit that such an RFC cannot claim to define HTTP/1.1.
> Agreed. It's at most an standards track extension to HTTP/1.1.

Slight disagreement here: if RFCNNNN obsoleted RFC2616, without  
bumping the version number, it had better be backwards compatible --  
but it is more than a standards track extension to HTTP/1.1, it  
becomes the new best definition of HTTP/1.1.

> Also for the record I am against that implementation of strong
> authentication should be mandatory for HTTP protocol compliance.
> A requirement of implementation of a well defined strong  
> authentication
> scheme IF authentication is implemented is fine however.

That's not a bad start.  The next thing to think about is to ask in  
what cases authentication implementation IS required.  I certainly  
agree with those who've said that authentication isn't necessary in  
some uses of HTTP.


Received on Sunday, 5 November 2006 21:23:39 UTC