On 25 July 2014 11:06, Edward Burns <edward.burns_at_oracle.com> wrote:
> Getting more specific, back to the spec text:
>
> Section_1.2> All servlet containers must support HTTP as a protocol for
> Section_1.2> requests and responses, but additional
> Section_1.2> request/response-based protocols such as HTTPS (HTTP over
> Section_1.2> SSL) may be supported.
>
> Greg, for now, can you support changing the text to read:
>
> Section_1.2> All servlet containers must support HTTP and HTTPS (HTTP
> Section_1.2> over SSL) as a protocol for requests and responses.
>
> When httpbis WG delivers their final verdict on the requirement of TLS,
> we will revisit this text.
>
Ed,
I'm definitely supportive of making HTTPS a SHOULD, but am cautious about
making it a MUST.
However, it is not a huge concern if it is a MUST as the special cases that
might not be able to support HTTPS probably don't mind about 100% spec
compliance anyway.
I just think that we have to be very careful to not over promise. ie have
text that says https will only mitigate monitoring.
cheers
--
Greg Wilkins <gregw_at_intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com advice and support for jetty and cometd.