Return-Path: 
 <dev-return-74988-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 204CC985A
	for <apmail-httpd-dev-archive@www.apache.org>;
 Tue, 20 Mar 2012 22:13:44 +0000 (UTC)
Received: (qmail 26365 invoked by uid 500); 20 Mar 2012 22:13:43 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 26307 invoked by uid 500); 20 Mar 2012 22:13:43 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 26298 invoked by uid 99); 20 Mar 2012 22:13:43 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Mar 2012 22:13:43 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [173.201.192.109] (HELO
 p3plsmtpa06-08.prod.phx3.secureserver.net) (173.201.192.109)
    by apache.org (qpsmtpd/0.29) with SMTP; Tue, 20 Mar 2012 22:13:37 +0000
Received: (qmail 5902 invoked from network); 20 Mar 2012 22:13:16 -0000
Received: from unknown (76.252.112.72)
  by p3plsmtpa06-08.prod.phx3.secureserver.net (173.201.192.109) with ESMTP;
 20 Mar 2012 22:13:10 -0000
Message-ID: <4F6900E5.8050009@rowe-clan.net>
Date: Tue, 20 Mar 2012 17:12:53 -0500
From: "William A. Rowe Jr." <wrowe@rowe-clan.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: svn commit: r1302856 -
 /httpd/httpd/branches/2.4.x/docs/manual/mod/core.xml
References: <20120320120906.21AB12388978@eris.apache.org>
 <4F68F689.5030506@rowe-clan.net>
In-Reply-To: <4F68F689.5030506@rowe-clan.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

On 3/20/2012 4:28 PM, William A. Rowe Jr. wrote:
> On 3/20/2012 7:09 AM, jim@apache.org wrote:
>> Author: jim
>> Date: Tue Mar 20 12:09:05 2012
>> New Revision: 1302856
>>
>> URL: http://svn.apache.org/viewvc?rev=1302856&view=rev
>> Log:
>> Merge r1302855 from trunk:
>>
>> Note that TRACE is not a vuln
> 
> Agreed.
> 
>> +    <p>Despite claims to the contrary, <code>TRACE</code> is not
>> +    a security vulnerability and there is no viable reason for
>> +    it to be disabled. Doing so necessarily makes your server
>> +    non-compliant.</p>
> 
> I'm not clear that's true.
> 
> http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-19#section-6.8
> currently in last call has plenty to say about TRACE.  It doesn't document
> a MUST requirement for a server to support TRACE requests.  It reads (at
> least to me, anyways) that support of TRACE is a good idea.
> 
> It has some comments on security implications, as well, in that document.

And looking at that document again, there is very little variation between
TRACE and DELETE to suggest that TRACE must be implemented, but that we
can leave DELETE unimplemented.

CONNECT, on the other hand, is very clear about how unlikely it is to be
implemented on origin servers.