- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Sat, 24 Mar 2012 12:51:45 +1300
- To: ietf-http-wg@w3.org
On 24/03/2012 12:27 p.m., Martin Thomson wrote: >>> And maybe the use of MUST is not appropriate here. >> That's what I was thinking too. > Saying nothing works. "The user agent MUST select one auth-scheme > that it understands..." > > Or you remove the MUST altogether, there's nothing saying that a user > agent couldn't just go off and make a cup of tea when it encounters an > WWW-Authenticate. > > "The user agent selects one challenge that it can use..." > Was not the reasoning behind that MUST to prevent mishaps like IE6 selecting the first presented option even if it was the worst security-wise? I would think this is a case for the auth scheme specifictions to ouline which alternative schemes they are stronger/weaker than, and in what ways. It does not really matter to HTTP which scheme is selected, only that any security resulting is the best available. AYJ
Received on Friday, 23 March 2012 23:52:17 UTC