John Panzer wrote:
> You don't, because that's not what it means. All it says is that if
> you want
> to use Basic, you SHOULD be using some enhancement on top of it.
Actually, to nitpick, it says you SHOULD NOT use Basic.
"SHOULD NOT use Basic without enhancement". I read that as SHOULD use some
enhancement if using Basic.
What I really want to try to ensure is that client will _also_ be able
to talk to my server.
But as a client author I don't want to be told that I have to implement TLS
to be compliant. If yours is the only server that requires TLS support then
maybe I won't want to bother. If a lot of servers require it then I probably
should be considering it. And of course you may decide to change your mind
about requiring it if you find that not enough clients support it. In other
words let the market decide. Trying to get the spec to declare clients
non-compliant just because they don't agree with your security preferences
seems a bit unfair to me.
FWIW both Blogger and LiveJournal are quite happy to let me log in and edit
journal entries via their web interfaces without a secure connection.
LiveJournal at least uses a little MD5 challenge/response script - Blogger
just sends through the password in cleartext. I don't see why either of them
would suddenly decide to get all paranoid about security when it comes to
their APP implementations. But maybe I'm missing something.
Regards
James
