On 7/1/06, Bjoern Hoehrmann <[EMAIL PROTECTED]> wrote:
* James M Snell wrote: >PaceSecurityConsiderations has been updated for Draft-09. The various >MUSTs have been removed. >
I don't think section 14.1 is advisable. Lots of it seems untrue to me. For example, "Because of potential interoperability issues that can arise when implementations do not use the authentication mechanisms provided by [RFC2616]..." Interoperability isn't especially good with 2616/2617 mechanisms, so it seems the recommendations contained within the section reflect the preference of a few implementors. Otherwise, it seems to parrot 2616 while introducing subtle changes to that text. Restating is a no-no, and I am surprised the editors didn't take Paul's text -- it looked like a consensus call to me. Beyond that, it contains beyond bogus text like "A server receiving an atom:entry that has been encrypted using XML Encryption is permitted to process that entry in whatever manner it chooses." The advice for executable content is inadequate. Media types aren't a security mechanism. 14.2 and 14.4 are the only things worth keeping here. -- Robert Sayre "I would have written a shorter letter, but I did not have the time."
