Robert Sayre <sayrer@xxxxxxxxx> writes: > Thankfully, the complete failure known as HTTP 1.1 would never make it > to Proposed Standard under the unwritten process we have now. For > example, it doesn't contain a mandatory, universally interoperable > authentication feature. That's right, it doesn't, and the lack of that feature is a first-rate pain in the ass. To take another example, NNTP is widely deployed and lacks an interoperable authentication capability, and as a result the authentication situation for NNTP is horrible. The IETF requires such things not to scuttle protocols that don't have them but to get people to go back and add them early when it's still possible. The requirement doesn't mean that protocols can't succeed without authentication; that's obviously wrong. It's instead about making the protocol *better* while we have an opportunity to do so. Both HTTP 1.1 and NNTP are widely deployed and have serious flaws in the area of authentication. Both would be *better* protocols had authentication been addressed up-front instead of patched on retroactively like we're having to do now. We've now gone back and done that work for NNTP, in the IETF context, and the resulting protocol is a significant improvement over what we have now. It's an open question whether we were too late, whether there is so large of a deployed base at this point that not enough people will ever implement a well-specified authentication mechanism. That doesn't mean the work doesn't solve a very real problem; it means that the problem was solved too late and as a result NNTP has become increasingly marginalized. That's one possible failure mode; another possible failure mode is the one that HTTP has experienced, where everyone invents their own authentication protocol on top of it, many of which are not actually secure and most of which don't even make a passing attempt at being interoperable. This is exactly the sort of situation that the IETF rule attempts to head off. -- Russ Allbery (rra@xxxxxxxxxxxx) <http://www.eyrie.org/~eagle/> _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf