Can anyone explain why every ALTO server is now *required* to provide an
https interface, and encryption, and client authentication? That seems to
be a rather onerous requirement. The basics aren't bad, but doing it the
right way -- using a properly signed certificate from a recognized
authority, keeping the keys and user info protected, etc -- is a lot of
work.
Or does that just mean that if an ALTO server choses to do
encryption/authentication, it must do it via ssl/tls, rather than some ad
hoc scheme?
- Wendy Roome
>Date: Fri, 1 Mar 2013 22:26:49 -0500
>From: "Y. Richard Yang" <[email protected]>
>Subject: [alto] Summary of draft-ietf-alto-protocol changes between
> -13 and -14
......
>
> - Changed from MAY to MUST: An ALTO Server MUST support SSL/TLS
>[RFC5246]
>to implement server and/or client authentication ... (Sec. 7.3.5 in -14;
>Sec. 6.3.5 in -13)
>
_______________________________________________
alto mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/alto
