On Mar 6, 2013, at 3:32 PM, Scharf, Michael (Michael) wrote: > For what it is worth, the exact phrasing in -14 confuses me: "An ALTO Server > MUST support SSL/TLS [RFC5246] to implement server and/or client > authentication, encryption, and/or integrity protection." I could read this > in a way that the ALTO server MUST announce all services on HTTPS URIs, and > this is certainly not what we want. (And, having "and/or" in a MUST statement > might not be perfect.)
Btw, client authentication in TLS is a bit more difficult (from an operational point of view) since you have to issue certificates to clients. If you on the other hand want a different credential to be used (for example shared secrets) then you will have to say that by choosing a different ciphersuite. The sentence above seems to indicate that you may want to want to support client authentication in TLS as well. A separate question is whether you actually use TLS. _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
