I missed this due to all the HTML in the email... >> >>How about this? >> >>OLD: >>"Implementers need to consider the policy and privacy implications of >>returning information that was not explicitly requested." >> >>NEW: >>"Implementers need to consider the policy and privacy implications of >>returning information that was not explicitly requested. Clients should >>only receive information that they are explicitly authorized to receive." > >AlmostŠ²Servers should only send information that clients are explicitly >authorized to receive.² > >The way it is worded is impossible to "enforce." How does this work with anonymous access to public information, which is how this information is served today? How do I ³explicitly" authorize an anonymous user? I think the old text above is good enough and find the next text (both versions) to be confusing. -andy