Hi, Am Donnerstag, den 07.08.2008, 10:35 -0600 schrieb Peter Saint-Andre: > Forwarding an older message from the [EMAIL PROTECTED] list... > > > -------- Original Message -------- > Date: Tue, 13 Feb 2007 14:40:43 -0800 > From: Steve Shaffer <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [Standards] XEP 0124 section 9? > >
> Item 3) > I'd also suggest t the connection manager SHOULD reject https connection > requests if the connection manager can not establish a secure connection > to the server. Otherwise the browser based connections may appear to be > secure even when the XML stanzas are passed in the clear between the > connection manager and the server. In most scenarios the CM doesn't know about whether SSL is used on the underlying HTTP connection as there may be proxies or load balancers in between. So maybe the spec should read "If the CM CAN it MUST ...". (No need to have another SHOULD here) But on the other hand I don't see a need for this requirement at all. Because all of this is totally under control of the client. The client knows whether it is connecting using https or not and it knows whether it's set the 'secure' attribute or not. So if a client decides to use https while not setting 'secure' to true it maybe doesn't make much sense but why bother? Cheers, Steve Cheers, Steve
