I suggest just putting it back the way it was -- "An ALTO server MAY use
ssl/tls ..." Let the market decide. Providers who want to protect their
data will only provide secure ALTO servers. Fine! But if someone wants to
provide ALTO as a public service, and they don't care who uses it, why
should they be required to use ssl/tls?
Also, ssl/tls is independent of the ALTO protocol spec. It's not like the
protocol defines client ids, how to authenticate clients, etc.
Finally, wasn't one of our goals to allow proxy servers to cache full cost
maps, to cut the load on ALTO servers? Wouldn't the ssl/tls requirement
prevent that?
- Wendy Roome
On 03/04/2013 13:23, "Reinaldo Penno (repenno)" <[email protected]> wrote:
>Agreed. It would be good if we added wording such as:
>
>"An ALTO Server MUST support TLS/SSL unless there is an implicit trust
>relationship between client and server.."
>
>Implicit trust could mean that client and server are operated by same
>entity, or sit in some trusted network, etc.
>
_______________________________________________
alto mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/alto
