Thanks Ben.
> Jeff and I had a f2f discussion about this point in Vancouver. To paraphrase
> (and I assume he will correct me if if I mischaracterize anything), Jeff
> indicated that this really wasn't a MUST level requirement due to the
> variation and vagaries in application behavior and abilities.
Yes, see the NOTE in section 7.2.
> Rather, it's
> more of a "do the best you can" sort of thing. Specifically, he indicated
> that an implementation that chose to go ahead and serve unprotected content
> due to the listed caveats on redirecting to HTTPS would necessarily be
> out-of-compliance.
I presume you actually mean "not necessarily", which would then be correct,
unless I'm misunderstanding something.
> If the requirement really that you SHOULD NOT (rather than MUST NOT) serve
> unprotected content, then I think the original language is okay.
agreed.
thanks,
=JeffH