I have reservations about mandating TLS because security may already be provided at a lower protocol level and that may not even be evident to the client or to the server. This could arise from client device policy that causes IPSec to be used behind the scenes - assuming that the server supports that. Ditto tcpcrypt. So mandating TLS may result in double encryption. It also chooses a particular security protocol that may not be the choice of either the client or the server. What I _do_ want to see is more secure communications, perhaps going as far as that insecure communications are only used when that is the explicit (non-default) choice, agreed to by both parties. That probably takes it outside the scope of HTTP.
Received on Tuesday, 24 July 2012 11:15:26 UTC