Wendy, Colleagues, On 5 Mar 2013, at 15:39, Wendy Roome wrote:
> Richard, > > Your proposal sounds fine. After all, it's a "motherhood" statement. Who > could argue with, "If you need security, etc, use ssl/tls."? > > However, I am surprised by the suddenly perceived need for security, and I'd > object to anything that implies that the default is to use ssl/tls. I think > that will kill the protocol. I'd always thought that ALTO was primarily > intended to be a public service that network operators provide to all > applications, not an exclusive service available only to a few trusted > components. A network operator would provide a public ALTO service because it > benefits the operator as well as the client. Sure, some operators might > restrict access, but most wouldn't bother. I guess that's how ALTO started but for the use cases I'm considering it is the case that the services would be private (in the sense that the owner will not open them up to anyone to use) and authentication/encryption would likely be required by the ALTO server operator. Having said that, it doesn't matter to me a great deal what the ALTO protocol specification says about TLS while all it says is something along the lines of "MUST implement TLS". If it started talking about requiring servers to validate client certificates that'd be a different matter (Basic Auth over HTTPS/TLS is sufficient IMO). Ben _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
