Hi, On Tue, Mar 05, 2013 at 07:44:01AM +0000, Ben Niven-Jenkins wrote: > I think we should separate authentication from encryption/integrity > more explicitly as I think there may be cases where one is required > but not the other.
I would rather distinguish between authentication/integrity protection (i.e., ensuring that the client gets non-forged guidance) and encryption (i.e., keep the client's queries and/or the server's replies secret from a third party). Furthermore, we need to distinguiush between implementation, i.e., a piece of software, and deployment of that software in a specific network scenario. I'd say a RFC-compliant implementation MUST support TLS and an operator setting up that software SHOULD enable it. As this document is about standardizing the protocol, it might be wise to omit the second half of that sentence and move recommendations regarding the deployment to the deployment considerations draft. Thanks Sebastian _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
