On Feb 26, 2012, at 2:44 AM, Mark Nottingham wrote:

>> I proposed a plan that I think might allow us to make progress
>> on that. I believe we could.
> OK, great. 
> Could you please explain why you think tying this effort to HTTP/2.0 is 
> necessary to achieve that? To me that's the critical bit, and I still haven't 
> seen the reasoning (perhaps I missed it).

I think I have *an* answer to this, though probably not *the* answer.

There's two stages to adoption - implementation and roll-out. Obviously you 
can't roll out "new authentication" before the browsers and servers implement 
it. For my website, I wouldn't roll out new auth if only one or two of the 
browsers out there implemented it. Even if all the big ones (IE, Firefox, 
Chrome, Opera) did, I would still have to provide a backwards compatibility 
authentication scheme to support older browsers. This would lead to both 
inconsistent UI and to ugly javascript that detects the browser version, and 
makes the roll-out slower.

If any HTTP/2.0 browser is bound to have "new authentication" it makes things 
much easier.

This could be circumvented by adding request headers that advertise 
capabilities, but I don't think we like those much.


Ietf mailing list

Reply via email to