[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status of draft-ietf-atompub-protocol-15.txt



On 6/13/07, Paul Hoffman <phoffman@xxxxxxx> wrote:

###TODO: Paul ask the WG about the following proposed change:
Current:
   At a minimum, client and server
   implementations MUST be capable of being configured to use HTTP Basic
   Authentication [RFC2617] in conjunction with a TLS [RFC2246]
   connection as defined in [RFC2818] (but note that [RFC2246] has been
   superseded by [RFC4346]).  See [RFC4346] for more information on TLS.
New:
   At a minimum, client and server implementations MUST be capable of
   being configured to use HTTP Basic Authentication [RFC2617] in
   conjunction with a connection made with TLS 1.0 [RFC2246] or a
   subsequent standards-track version of TLS, and implementations MUST
   also support the conventions for using HTTP over TLS described in
   [RFC2818].
Does this wording change work for the WG?

I'm moderately concerned that some could interpret the "MUST also support the conventions for using HTTP over TLS" as a separable requirement from the "MUST be capable of being configured to use" requirement, when in my belief its a single compound requirement ( i.e. when configured to use HTTP with TLS, you must also support the conventions of 2818).

Could this possibly be simplified/clarified to:

    At a minimum, client and server implementations MUST be capable of
   being configured to use HTTP Basic Authentication [RFC2617] in
   conjunction with a connection made with TLS 1.0 [RFC2246] or a
   subsequent standards-track version of TLS, supporting the conventions for
   using HTTP over TLS described in [RFC2818].

Sorry to be nit picky, but this particular section has been a subject of much ongoing debate and concern.

Please let me know if I've misinterpreting w.r.t. to the fact that the reqts only apply in combination.

-- Kyle