IM, the biggest threat is that vendors ship implementations that simply
_can't_ be configured to interoperate. The MTI rule tries to prevent
that. The only "enforcement" mechanism is that vendors can't morally
claim conformance unless they obey.
an implementation is in customers' hands, there's nothing to
prevent them from configuring it so that it doesn't interoperate. That's
essentially what is behind the threat of which you speak, and I don't
see any technical solution. However, availability of an acceptable MTI
mechanism at least means that such customers have no excuse for
non-interoperability. That's why I think the MTI rule addresses the more
fundamental threat.
Message
From: Robert Sayre [mailto:sayrer (AT) gmail (DOT) com]
Subject: Re: security requirements
But since the rules concern
implementations rather than deployments, MTI doesn't prevent the
actual threat to HTTP interoperability: centralized authentication
services. It's a backwards rule intended for companies shipping
routers and floppy discs. Web applications can route around it.