lör 2012-02-25 klockan 14:13 +0000 skrev Stephen Farrell:
I don't agree with you there - the perceived low probability that
something will be deployed is a real disincentive here. We have had
people wanting to do work on this and have been told there's no point
because it won't get adopted.
I do not agree that getting new auth schemes deployed if they do make
sense is such big problem in the longer scope.
We have already had two new auth schemes deployed within HTTP/1.1 during
the lifetime of HTTP/1.1 and which is in wide scale use today across
numerous different implementations. And these doesn't even followin HTTP
A beauty of HTTP auth model here is that it can downgrade nicely,
allowing old clients to continue working only not gaining the benefits
of the new auth model. But that obviously have security implications as
well if newer user-agents can be fooled into downgrading.
Ietf mailing list