###TODO: Paul ask the WG about the following proposed change:
Current:
At a minimum, client and server
implementations MUST be capable of being configured to use HTTP Basic
Authentication [RFC2617] in conjunction with a TLS [RFC2246]
connection as defined in [RFC2818] (but note that [RFC2246] has been
superseded by [RFC4346]). See [RFC4346] for more information on TLS.
New:
At a minimum, client and server implementations MUST be capable of
being configured to use HTTP Basic Authentication [RFC2617] in
conjunction with a connection made with TLS 1.0 [RFC2246] or a
subsequent standards-track version of TLS, and implementations MUST
also support the conventions for using HTTP over TLS described in
[RFC2818].
Does this wording change work for the WG?
I'm moderately concerned that some could interpret the "MUST also support the conventions for using HTTP over TLS" as a separable requirement from the "MUST be capable of being configured to use" requirement, when in my belief its a single compound requirement (
i.e. when configured to use HTTP with TLS, you must also support the conventions of 2818).
Could this possibly be simplified/clarified to:
At a minimum, client and server implementations MUST be capable of
being configured to use HTTP Basic Authentication [RFC2617] in
conjunction with a connection made with TLS 1.0 [RFC2246] or a
subsequent standards-track version of TLS, supporting the conventions for
using HTTP over TLS described in [RFC2818].
Sorry to be nit picky, but this particular section has been a subject of much ongoing debate and concern.
Please let me know if I've misinterpreting w.r.t. to the fact that the reqts only apply in combination.
-- Kyle