- From: Keith Moore <moore@cs.utk.edu>
- Date: Thu, 07 Jun 2007 18:11:53 -0400
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: Paul Hoffman <phoffman@imc.org>, Apps Discuss <discuss@apps.ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Julian Reschke wrote: > Keith Moore wrote: >> no. deprecate 2617. deprecate the framework that is in 2616. HTTP >> security needs a clean slate approach. > > I personally have no problem with this. In the wild, most > authentication isn't using RFC2617 anyway. > > However, my understanding is that the IESG doesn't allow RFC2616bis > not to discuss authentication in *some* manner. I'm certain that there will have to be a good answer to the authentication question before 2616bis will be allowed to get any kind of standardization status. (it could probably be in a separate document). > BTW: does the framework really require fixing? I am pretty sure that it does. I think sites will continue to insist on being in control of the look and feel of the username/password dialog. I also think that the phishing concerns have to be dealt with. The two of these together make for an interesting set of constraints. Keith
Received on Thursday, 7 June 2007 22:12:28 UTC