Hi, On Tue, Mar 05, 2013 at 10:39:00AM -0500, Wendy Roome wrote: > Richard, > > Your proposal sounds fine. After all, it's a "motherhood" statement. Who > could argue with, "If you need security, etc, use ssl/tls."? > > However, I am surprised by the suddenly perceived need for security,
I don't believe that this came suddenly. Please have a look at our requirements document, RFC 6708, Section 3.3. The requirements have been discussed and written down quite some time ago, then the doc has been kept open to allow modifications and it has been finalized only some months ago. > and I'd > object to anything that implies that the default is to use ssl/tls. I think > that will kill the protocol. Can you please be more specific. Would it be too painful to write an ALTO server and client software that has TLS support? Or do you fear that operators would refrain from installing an ALTO server if they read that they SHOULD enable TLS? The IETF usually standardizes protocols, not use cases. Assuming that TLS support is not too painful at software implementation level, I'd prefer to see it mandatory (MUST). Regarding the second aspect we could use a rather weak statement such as the "Note:" preamble of Sec. 3.3 in RFC 6708 or maybe make no statement at all. Thanks Sebastian _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
