- From: Yoav Nir <ynir@checkpoint.com>
- Date: Sun, 26 Feb 2012 09:45:09 +0000
- To: Mark Nottingham <mnot@mnot.net>
- CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, IETF-Discussion Discussion <ietf@ietf.org>, The IESG <iesg@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Feb 26, 2012, at 2:44 AM, Mark Nottingham wrote: > >> >> I proposed a plan that I think might allow us to make progress >> on that. I believe we could. > > OK, great. > > Could you please explain why you think tying this effort to HTTP/2.0 is necessary to achieve that? To me that's the critical bit, and I still haven't seen the reasoning (perhaps I missed it). I think I have *an* answer to this, though probably not *the* answer. There's two stages to adoption - implementation and roll-out. Obviously you can't roll out "new authentication" before the browsers and servers implement it. For my website, I wouldn't roll out new auth if only one or two of the browsers out there implemented it. Even if all the big ones (IE, Firefox, Chrome, Opera) did, I would still have to provide a backwards compatibility authentication scheme to support older browsers. This would lead to both inconsistent UI and to ugly javascript that detects the browser version, and makes the roll-out slower. If any HTTP/2.0 browser is bound to have "new authentication" it makes things much easier. This could be circumvented by adding request headers that advertise capabilities, but I don't think we like those much. Yoav
Received on Monday, 27 February 2012 09:37:16 UTC