- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Wed, 29 Feb 2012 20:55:24 +0100
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: Julian Reschke <julian.reschke@gmx.de>, IETF-Discussion <ietf@ietf.org>, "Roy T. Fielding" <fielding@gbiv.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Mark Nottingham <mnot@mnot.net>, Tim Bray <tbray@textuality.com>, The IESG <iesg@ietf.org>, ietf-http-wg@w3.org
lör 2012-02-25 klockan 14:13 +0000 skrev Stephen Farrell: > I don't agree with you there - the perceived low probability that > something will be deployed is a real disincentive here. We have had > people wanting to do work on this and have been told there's no point > because it won't get adopted. I do not agree that getting new auth schemes deployed if they do make sense is such big problem in the longer scope. We have already had two new auth schemes deployed within HTTP/1.1 during the lifetime of HTTP/1.1 and which is in wide scale use today across numerous different implementations. And these doesn't even followin HTTP semantics... A beauty of HTTP auth model here is that it can downgrade nicely, allowing old clients to continue working only not gaining the benefits of the new auth model. But that obviously have security implications as well if newer user-agents can be fooled into downgrading. Regards Henrik
Received on Wednesday, 29 February 2012 19:56:05 UTC