ietf
[Top] [All Lists]

Re: Facts, please, not handwaving [Re: Its about mandate RE: Why cant the IETF embrace an open Election Process]

2006-09-18 22:49:28
Robert Sayre <sayrer(_at_)gmail(_dot_)com> writes:

Thankfully, the complete failure known as HTTP 1.1 would never make it
to Proposed Standard under the unwritten process we have now. For
example, it doesn't contain a mandatory, universally interoperable
authentication feature.

That's right, it doesn't, and the lack of that feature is a first-rate
pain in the ass.  To take another example, NNTP is widely deployed and
lacks an interoperable authentication capability, and as a result the
authentication situation for NNTP is horrible.

The IETF requires such things not to scuttle protocols that don't have
them but to get people to go back and add them early when it's still
possible.  The requirement doesn't mean that protocols can't succeed
without authentication; that's obviously wrong.  It's instead about making
the protocol *better* while we have an opportunity to do so.

Both HTTP 1.1 and NNTP are widely deployed and have serious flaws in the
area of authentication.  Both would be *better* protocols had
authentication been addressed up-front instead of patched on retroactively
like we're having to do now.

We've now gone back and done that work for NNTP, in the IETF context, and
the resulting protocol is a significant improvement over what we have now.
It's an open question whether we were too late, whether there is so large
of a deployed base at this point that not enough people will ever
implement a well-specified authentication mechanism.  That doesn't mean
the work doesn't solve a very real problem; it means that the problem was
solved too late and as a result NNTP has become increasingly marginalized.
That's one possible failure mode; another possible failure mode is the one
that HTTP has experienced, where everyone invents their own authentication
protocol on top of it, many of which are not actually secure and most of
which don't even make a passing attempt at being interoperable.  This is
exactly the sort of situation that the IETF rule attempts to head off.

-- 
Russ Allbery (rra(_at_)stanford(_dot_)edu)             
<http://www.eyrie.org/~eagle/>

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>