On 9/12/11 11:01 AM, Richard L. Barnes wrote: > > On Sep 12, 2011, at 7:13 AM, Tobias Oberstein wrote: > >>> Short answer: BCP 61, Section 7. >>> <http://tools.ietf.org/html/bcp61#section-7> >> >> I'm not sure, are you pointing to >> >> " However security must be a MUST IMPLEMENT so that end users >> will have the option of enabling it when the situation calls for >> it. "? >> >> This does not say TLS must be used, but only that "security" is >> mandatory. >> >> TLS provides point-to-point security, but not end-to-end, the >> latter providing a higher level of confidentiality. >> >> So, when end-to-end security is desired by a user in some >> scenario, an implementation could provide a message payload >> encryption scheme and BCP 61, Section 7 would be fulfilled without >> having TLS implemented. >> >> What about >> >> """ Point-to-point communications confidentiality and integrity is >> provided by running the WebSocket protocol over TLS (wss URIs). >> >> WebSocket implementations MUST support TLS, and SHOULD employ it >> when communicating with their peers, unless a stronger form of >> security scheme like end-to-end encryption is in place. """ > > -1 > > This text doesn't change anything meaningful. The current "MUST > support / SHOULD employ" is entirely standard for compliance with BCP > 61 and sufficiently describes the requirements in this case. Agreed (with my AD hat on). Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
