On 6/13/07, Paul Hoffman <<mailto:phoffman@xxxxxxx>phoffman@xxxxxxx> wrote:
###TODO: Paul ask the WG about the following proposed change:
Current:
At a minimum, client and server
implementations MUST be capable of being configured to use HTTP Basic
Authentication [RFC2617] in conjunction with a TLS [RFC2246]
connection as defined in [RFC2818] (but note that [RFC2246] has been
superseded by [RFC4346]). See [RFC4346] for more information on TLS.
New:
At a minimum, client and server implementations MUST be capable of
being configured to use HTTP Basic Authentication [RFC2617] in
conjunction with a connection made with TLS 1.0 [RFC2246] or a
subsequent standards-track version of TLS, and implementations MUST
also support the conventions for using HTTP over TLS described in
[RFC2818].
Does this wording change work for the WG?
I'm moderately concerned that some could interpret the "MUST also
support the conventions for using HTTP over TLS" as a separable
requirement from the "MUST be capable of being configured to use"
requirement, when in my belief its a single compound requirement (
i.e. when configured to use HTTP with TLS, you must also support the
conventions of 2818).
Could this possibly be simplified/clarified to:
At a minimum, client and server implementations MUST be capable of
being configured to use HTTP Basic Authentication [RFC2617] in
conjunction with a connection made with TLS 1.0 [RFC2246] or a
subsequent standards-track version of TLS, supporting the conventions for
using HTTP over TLS described in [RFC2818].