- From: Mark Baker <distobj@acm.org>
- Date: Wed, 25 Jun 2008 00:43:04 -0400
- To: "Justin James" <j_james@mindspring.com>
- Cc: public-html@w3.org
On Wed, Jun 25, 2008 at 12:22 AM, Justin James <j_james@mindspring.com> wrote: > > So, anyone not using HTTP 403 style authentication with Digest must use SSL? > I really do not see this happening. There are far too many sites in which > the capture of a password is fairly unimportant and/or the owners of the > site cannot afford an SSL certificate. Additionally, to enforce this at the > browser level with the "MUST NOT" phrasing is unrealistic; Yup. I've mentioned this a few years ago on www-tag about another finding (or AWWW even, can't remember), but I don't think RFC 2119 terms are suitable for use by a TAG finding, especially in contexts such as a "best practice". How can something be a best practice *and* required in all situations without exception?! 8-O RFC 2119 was designed for use by those defining Internet protocols, not advice for developers. I think if the finding removed all references to those terms, it would be fine. Mark.
Received on Wednesday, 25 June 2008 04:43:40 UTC