> Short answer: BCP 61, Section 7. > <http://tools.ietf.org/html/bcp61#section-7> I'm not sure, are you pointing to " However security must be a MUST IMPLEMENT so that end users will have the option of enabling it when the situation calls for it. "? This does not say TLS must be used, but only that "security" is mandatory. TLS provides point-to-point security, but not end-to-end, the latter providing a higher level of confidentiality. So, when end-to-end security is desired by a user in some scenario, an implementation could provide a message payload encryption scheme and BCP 61, Section 7 would be fulfilled without having TLS implemented. What about """ Point-to-point communications confidentiality and integrity is provided by running the WebSocket protocol over TLS (wss URIs). WebSocket implementations MUST support TLS, and SHOULD employ it when communicating with their peers, unless a stronger form of security scheme like end-to-end encryption is in place. """ > > > On Sep 12, 2011, at 5:49 AM, Tobias Oberstein wrote: > > > """ > > 10.6. Connection confidentiality and integrity > > > > Communications confidentiality and integrity is provided by running > > the WebSocket protocol over TLS (wss URIs). WebSocket > > implementations MUST support TLS, and SHOULD employ it when > > communicating with their peers. > > """ > > > > Why MUST? > > > > For example, TLS does not provide end-to-end confidentiality when > > WebSockets used for communicating between client peers, and the WS > > server is only there to mediate e.g. publish/subscribe messages. > > > > In this case, confidentiality/integrity can be accomplished by > > encrypting the payload of the messages, but without encrypting the > > point-to-point transports between the clients to the server. > > Encrypting the transport when the payload is already encrypted does > > not make sense in this scenario. > > > > I'd like to suggest: > > > > """ > > When point-to-point communication confidentiality and integrity is > > desired and sufficient, the implementation SHOULD use TLS. > > """ > > _______________________________________________ > > hybi mailing list > > hybi@ietf.org > > https://www.ietf.org/mailman/listinfo/hybi _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
