Agreed. It would be good if we added wording such as: "An ALTO Server MUST support TLS/SSL unless there is an implicit trust relationship between client and server.."
Implicit trust could mean that client and server are operated by same entity, or sit in some trusted network, etc. On 3/4/13 3:18 PM, "Wendy Roome" <[email protected]> wrote: >Can anyone explain why every ALTO server is now *required* to provide an >https interface, and encryption, and client authentication? That seems to >be a rather onerous requirement. The basics aren't bad, but doing it the >right way -- using a properly signed certificate from a recognized >authority, keeping the keys and user info protected, etc -- is a lot of >work. > >Or does that just mean that if an ALTO server choses to do >encryption/authentication, it must do it via ssl/tls, rather than some ad >hoc scheme? > > - Wendy Roome > > >>Date: Fri, 1 Mar 2013 22:26:49 -0500 >>From: "Y. Richard Yang" <[email protected]> >>Subject: [alto] Summary of draft-ietf-alto-protocol changes between >> -13 and -14 > ...... >> >> - Changed from MAY to MUST: An ALTO Server MUST support SSL/TLS >>[RFC5246] >>to implement server and/or client authentication ... (Sec. 7.3.5 in -14; >>Sec. 6.3.5 in -13) >> > > >_______________________________________________ >alto mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/alto _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
