[Ietf-caldav] References in draft-dusseault-caldav-12
Julian Reschke
julian.reschke at gmx.de
Fri Jun 23 11:22:07 PDT 2006
Lisa Dusseault schrieb:
> I answered too fast and forgot one important point: a single,
> mandatory-to-implement secure transport is necessary to have both
> interoperability and to meet the "no plain-text passwords in the clear"
> requirement. If a server supported only IPSec and a client supported
> only TLS, that would not be interoperable. I find TLS to be the
> preferable mandatory-to-implement solution.
>
> It looks like our text could still do with some improvement however;
> something along the lines of "Servers MUST NOT offer BASIC over an
> unprotected channel. Clients MUST support TLS in order to provide one
> channel-encryption mechanism that servers can rely on if they decide to
> offer BASIC."
>
> ...
I really think it's an extremely bad idea if each protocol that happens
to use HTTP as transport comes with it's own requirements here. This is
an issue which is common to WebDAV itself, CalDav, AtomPub and so on.
Are you saying that the IESG expects the authors of each of these specs
to come up with their own solution?
If this problem really requires attention, it should be solved in a base
spec others can rely on. It definitively doesn't belong into CalDAV (why
would it have security requirements different from those in WebDAV, for
instance???).
Best regards, Julian
More information about the Ietf-caldav
mailing list