- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 02 Feb 2015 14:41:47 +0100
- To: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
On 2015-01-30 22:45, Amos Jeffries wrote: > On 31/01/2015 3:11 a.m., Rifaat Shekh-Yusef wrote: >> Why would we restrict the use of this header in future protocols based on >> the Digest usage of this header? >> What would be the harm in allowing the new protocol that uses the header to >> restrict it usage? >> > > Information leaks. User credentials and secure token are potentially > stored in here, as are details specific to the internal operation of the > security algorithm selected/negotiated. > ... The intent of the draft was to separate out what was defined in RFC 2617; thus I agree that we shouldn't relax the use unless there's broad consensus that that would be a good idea. Best regards, Julian
Received on Monday, 2 February 2015 13:42:40 UTC