On Feb 26, 2012, at 2:44 AM, Mark Nottingham wrote: > >> >> I proposed a plan that I think might allow us to make progress >> on that. I believe we could. > > OK, great. > > Could you please explain why you think tying this effort to HTTP/2.0 is necessary to achieve that? To me that's the critical bit, and I still haven't seen the reasoning (perhaps I missed it). I think I have *an* answer to this, though probably not *the* answer. There's two stages to adoption - implementation and roll-out. Obviously you can't roll out "new authentication" before the browsers and servers implement it. For my website, I wouldn't roll out new auth if only one or two of the browsers out there implemented it. Even if all the big ones (IE, Firefox, Chrome, Opera) did, I would still have to provide a backwards compatibility authentication scheme to support older browsers. This would lead to both inconsistent UI and to ugly javascript that detects the browser version, and makes the roll-out slower. If any HTTP/2.0 browser is bound to have "new authentication" it makes things much easier. This could be circumvented by adding request headers that advertise capabilities, but I don't think we like those much. Yoav _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf