Re: [Ecrit] comments on LoST

[Andrew Newton <andy at hxr.us>]

Responding to my own message since Jonathan and I had a quick  
exchange on this subject in the meeting yesterday...

On Jul 11, 2006, at 4:02 PM, Andrew Newton wrote:
> > * Security aspects are still really weak. You need to specify  
> > basic proceudres as part of the basic client and server  
> > processing. Beyond mutual tls I think we want a standard server  
> > side authentication mechanism as well, with no client authentication
>
> Being able to have that would be nice, but server side  
> authentication will not work world wide.  I suppose it would depend  
> on the TLS library, but some would require a requery with different  
> options if the first query failed due to bad authentication.

Just to be clear, you are suggesting this as MUST implement but not  
MUST deploy, correct?  So long as there is plain HTTP, I see no harm  
in doing this.  I believe client authentication will be difficult to  
achieve in practice, but I see no reason why we can't ask  
implementations to support it since it is a common feature in most  
TLS libraries.

-andy

_______________________________________________
Ecrit mailing list
Ecrit at ietf.org
https://www1.ietf.org/mailman/listinfo/ecrit