- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 5 Nov 2014 16:05:49 -0800
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 5 November 2014 15:39, Mike Bishop <Michael.Bishop@microsoft.com> wrote: > if there's no required enforcement, then the others aren't really MUSTs, either. Only if you like to play Russian Roulette. If the others aren't MUSTs, then when you don't comply you risk getting shut down. That's interoperability failure of a sort, is it not? > If it rejects the client's security settings, the client can't know for sure what configuration the server would accept I don't think that this is right. The reasons for sending INADEQUATE_SECURITY are precise, so it has to be one of those things. You aren't allowed to send INADEQUATE_SECURITY for other reasons (that is a clarification that I'm prepared to add to #615). Can you describe a scenario where the server would send this message and the client would be unable to determine what was wrong?
Received on Thursday, 6 November 2014 00:06:17 UTC