[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XML2004Hackathon

To: Dare Obasanjo <kpako@xxxxxxxxx>, mint@xxxxxxxxxxxxxxx, steve jenson <stevej@xxxxxxxxxx>, atom-protocol@xxxxxxx
Subject: Re: XML2004Hackathon
From: Greg Stein <gstein@xxxxxxxxxx>
Date: Mon, 25 Oct 2004 17:53:31 -0700
In-reply-to: <20041026002734.97220.qmail@web40829.mail.yahoo.com>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <417D97F0.4080404@franklinmint.fm> <20041026002734.97220.qmail@web40829.mail.yahoo.com>
Sender: owner-atom-protocol@xxxxxxxxxxxx
User-agent: Mutt/1.5.5.1i

On Mon, Oct 25, 2004 at 05:27:34PM -0700, Dare Obasanjo wrote:
> --- Robert Sayre <mint@xxxxxxxxxxxxxxx> wrote:
>...
> > So far, the requirements in that section of the
> > draft have gotten a 
> > rather cool reception. I now agree that it's kind of
> > silly to require a 
> > certain authentication mechanism. What if someone
> > only wants their 
> > service available through full Kerberos
> > authentication? Seems silly to 
> > say such a service isn't compliant.

Agreed. I've been trying to say that for a while now. HTTP authentication
is completely orthogonal to the protocol that moves over the wire. They
are independent and should be treated that way.

The protocol spec should list under Security Considerations the need for a
secure HTTP authentication mechanism [because of the ability to read and
*write* content on the server], but then leave it up to the client and
server implementations to negotiate what auth will be used.

> There are two points here. The first is that the spec
> implies that if clients support CGI or Digest
> authentication they should be covered when it comes to
> authentication. However we have a major blogging tool
> vendor claiming that they plan to ignore that part of
> the spec which makes the spec not worth the much.

IMO, that part of the spec is simply out of date. It isn't so much that
we're specifically ignoring it. It's just that it needs to be brought up
to reality :-)

> More importantly, restricting what authentication
> mechanisms people can use is just plain silly.

Yup. See my previous point about "reality" :-)

> 
> Perhaps we should take this to atom-protocol? 

Agreed, and "done" :-)

Cheers,
-g

Prev by Date: Re: Template representation
Next by Date: Re: Template representation
Previous by thread: Re: XML2004Hackathon
Index(es):
- Date
- Thread