I provided review and comment for the text that was sent forward to
IESG Evaluation. It sounds like your issues are in the process
before I saw the text.
As I said in my first posting, I'll let others provide rationale for
their own actions.
At 03:47 PM 7/13/2007, Julian Reschke wrote:
Russ Housley wrote:
That is not the way the document arrived to the IESG. It said:
The type of authentication deployed is a local decision made by the
server operator. Clients are likely to face authentication schemes
that vary across server deployments. At a minimum, client and server
implementations MUST be capable of being configured to use HTTP Basic
Authentication [RFC2617] in conjunction with a TLS [RFC2246]
connection as defined in [RFC2818] (but note that [RFC2246] has been
superseded by [RFC4346]). See [RFC4346] for more information on TLS.
The normative reference cites TLS 1.0, making it the only version
that is permitted.
Yes, and that problem was known when it was submitted (together with
confusing statement about RFC4346 which follows in the next sentence).
Originally the WG didn't want to put it any MTI requirement at all.
As far as I can recall, we ended up with the text that was submitted
because we were told that "this is what you need to do to get IESG approval".
The changes made in the latest draft clearly are an improvement over
the text that was submitted, and hopefully the spec can now proceed.
Best regards and sorry for the confusion,
Ietf mailing list