- From: Justin Erenkrantz <justin@erenkrantz.com>
- Date: Thu, 7 Jun 2007 10:57:23 -0700
- To: "Paul Hoffman" <phoffman@imc.org>
- Cc: "Keith Moore" <moore@cs.utk.edu>, "Apps Discuss" <discuss@apps.ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 6/7/07, Paul Hoffman <phoffman@imc.org> wrote: > > At 12:09 PM -0400 6/7/07, Keith Moore wrote: > >2617 doesn't need clarification, it needs to be deprecated and replaced > >with not only different schemes but an entirely different framework. > > We need to deal with the real world. In the real world, Basic and > Digest Auth are used. In the real world, the better replacement for > them is not deployed. It is fine for us to say "please stop doing > that, use this instead", but it is myopic and unhelpful to deprecate > something that is in widespread use. Right - the IETF can wave a magic wand here, but it won't help as deploying new versions of the servers and the clients take years. Furthermore, my understanding is that IESG now requires all new protocols to always be secure. I think that *mandating* that we use SSL (or some similar connection-oriented security mechanism) for *all* Web traffic is going to kill everyone. As long as authentication remains optional, I'm okay - but if it's mandatory or required to be the default behavior, I very likely won't support implementation of such a short-sighted standard. -- justin
Received on Thursday, 7 June 2007 17:57:30 UTC