Tim Bray wrote:
On Feb 23, 2006, at 11:19 AM, James M Snell wrote:
Alternative approach to PaceBasicAuthentication and PaceAuthentication.
http://www.intertwingly.net/wiki/pie/PaceFixSecurityConsiderations
I am generally positive on this approach.
- APP is fairly late to the party of content creation via HTTP, and
*very* late to the party of securing HTTP transactions.
- Furthermore there are many in the IETF who hold passionate opinions
about the right and wrong way to secure net transactions in general and
HTTP in particular, and I would be happier if they didn't use the APP
draft as a place to continue the task of working through these issues.
- Finally, without a deep technical understanding of these issues, but
having had considerable experience with security-admin and
security-architect types, I suspect that our specification has
relatively little chance of influencing their actions.
So I generally think that we win by saying the least possible that we
can get away with. -Tim
+1 on both James' proposal and Tim's comments.
Julian
