Stefan Strigler wrote:
Hi,Am Donnerstag, den 07.08.2008, 10:35 -0600 schrieb Peter Saint-Andre:Forwarding an older message from the [EMAIL PROTECTED] list... -------- Original Message -------- Date: Tue, 13 Feb 2007 14:40:43 -0800 From: Steve Shaffer <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Standards] XEP 0124 section 9?Item 3) I'd also suggest t the connection manager SHOULD reject https connection requests if the connection manager can not establish a secure connection to the server. Otherwise the browser based connections may appear to be secure even when the XML stanzas are passed in the clear between the connection manager and the server.In most scenarios the CM doesn't know about whether SSL is used on the underlying HTTP connection as there may be proxies or load balancers in between. So maybe the spec should read "If the CM CAN it MUST ...". (No need to have another SHOULD here) But on the other hand I don't see a need for this requirement at all. Because all of this is totally under control of the client. The client knows whether it is connecting using https or not and it knows whetherit's set the 'secure' attribute or not. So if a client decides to use https while not setting 'secure' to trueit maybe doesn't make much sense but why bother?
Right. If the client is dumb, that is the client's problem. :)Do we need to add a sentence about this to guide client developers, or is it clear that if you use https you want to also set the secure attribute to true?
Peter
smime.p7s
Description: S/MIME Cryptographic Signature
