Hi Javier,--On October 16, 2009 10:49:16 AM -0300 Javier Godoy <rjgodoy at fich.unl.edu.ar> wrote:
1) The first point relates to a requirement for clients to support TLS. Currently the spec says nothing except that servers MUST support it. I propose added a statement that clients SHOULD support TLS. There was some debate as to whether that ought to be a MUST. Please comment..+1. I think the situation described below should be explictly stated in order to clarify the meaning of the SHOULD and illustrate some situations in which ignoring this requirement might be appropriate . BTW, If the consensus were keeping the MUST, note that TLS is described as optional in several sections (e.g. section 11 and 13).
Alexey's text proposes that for clients support of TLS is a MUST, but use of it is a SHOULD. i.e., it is still optional to actually use TLS, but clients have to provide the capability so users can choose to use it if they want.
I believe support of TLS ought to be a SHOULD due to the various reasons I listed.
So let me make a more concrete text proposal for what I propose: Clients SHOULD support TLS. In most cases TLS SHOULD be used by clients, though in some situations, e.g., where some other form of security is known to be in place, it need not be supported or used. I think Alexey's suggestion just boils down to this: Clients MUST support TLS, and SHOULD use it.So we need consensus on which of the above two proposed text changes we should adopt (or another proposal).
-- Cyrus Daboo