James Holderness wrote on 2/23/2006, 2:42 PM: > > John Panzer wrote: ...
> > What I really want to try to ensure is that client will _also_ be able > > to talk to my server. > > But as a client author I don't want to be told that I have to > implement TLS > to be compliant. You don't. A SHOULD is not a MUST. If yours is the only server that requires TLS support > then > maybe I won't want to bother. If a lot of servers require it then I > probably > should be considering it. I think Blogger has a respectable number of blogs. And of course you may decide to change your > mind > about requiring it if you find that not enough clients support it. In > other > words let the market decide. So why didn't we use that same logic about whether HTML should be allowed in summaries? Trying to get the spec to declare clients > non-compliant just because they don't agree with your security > preferences > seems a bit unfair to me. Perhaps you're confusing me with someone else who is trying to add MUSTs to the spec. I'm just trying to put up some road signs. And again I'm not trying to force security preferences on anyone. I think there's a pretty well established practice, and hence a recommendation that this spec can make that will enhance interoperability. It doesn't constrain anyone and it doesn't make anyone non-compliant no matter what they do. > FWIW both Blogger and LiveJournal are quite happy to let me log in and > edit > journal entries via their web interfaces without a secure connection. Why would the security practices in web browsers be relevant to interoperability of to-be-written clients and servers? > LiveJournal at least uses a little MD5 challenge/response script - > Blogger > just sends through the password in cleartext. I don't see why either > of them > would suddenly decide to get all paranoid about security when it comes to > their APP implementations. But maybe I'm missing something. I dunno, why does the Blogger pre-standard Atom API use HTTPS+Basic Auth (http://code.blogger.com/archives/atom-docs.html). Maybe they suddenly got paranoid? -- John Panzer Sr. Technical Manager http://journals.aol.com/panzerjohn/abstractioneer
