On 3/24/14, 9:58 AM, Michael Richardson wrote: > Does SCIM have a mode where it is happy (and meaningful) to run unencrypted?
Technically? It might be possible. Pragmatically, an implementer should be loathe to offer such functionality. > I see in the charter talk about HTTP vs HTTPS. > Reading three pages of the API document, it seems that one could run > LIST/RETRIEVE operations in the clear. Again, given the information that is being carried, while it is possible, it wouldn't be advisable, due to potential for PII being exposed (for instance). > > So, actually, I think that my advice is exactly correct. > > If the certificates for HTTPS do not verify, then you should treat the > connection exactly as you would if it occured over HTTP. If that > means that the client shouldn't trust what the server says, then > that's what the client should do. > I guess where we come together is that this has to be addressed based on target use cases, including who is operating the tool, the scale of deployment, and the sensitivity of the data, to name a few. Eliot _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
