- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 21 Feb 2012 18:37:12 +0000
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: mnot@mnot.net, iesg@ietf.org, ietf-http-wg@w3.org, IETF-Discussion <ietf@ietf.org>
On 02/21/2012 06:33 PM, Julian Reschke wrote: > On 2012-02-21 19:26, Stephen Farrell wrote: >> >> Down below, for the proposed HTTP/2.0 work it says: >> >> > * Reflecting modern security requirements and practices >> >> In some earlier discussion I asked what "modern" means >> there. It seems to mean at least working well with TLS, >> but I'm not sure what else is meant, if anything. >> >> In particular, I think it'd be good to try get better >> (more usable, more secure etc.) HTTP authentication >> defined as a built-in part of HTTP/2.0. >> >> My initial take is that if we're not going to do this >> for a major revision of the protocol, then when are we >> going to do it? So I'd like to see that included. >> >> The counter argument offered was that better HTTP >> authentication is complex and probably hard to get right >> and so would be better handled separately. > > I believe this should be orthogonal to HTTP/2.0. Is there a specific > thing that makes it impossible to use the existing authentication > framework? Who knows? We don't have a protocol on the table yet. I would imagine that some level of backwards compatibility would be a requirement of course, or at least an issue to be considered. But the existing HTTP client authentication is also not necessarily very useful, and there have been a number of efforts to improve on that, none of which seem to have gotten sufficient traction to get widely deployed/used. Maybe HTTP/2.0 is a good time to try fix that. S. > >> ... > > Best regards, Julian
Received on Tuesday, 21 February 2012 18:37:34 UTC