Keith Moore wrote:
>> Servers are REQUIRED to implement "TLS + Basic" OR Digest.
>> Clients are REQUIRED to implement Digest. If the client
> supports TLS then it is also REQUIRED to support "TLS + Basic".
>> Won't fly, because it doesn't ensure interoperability.
Requiring TLS in all clients will force non-compliant clients.
Also, after looking at TLS more closely, TLS poses additional
interoperability concerns (specifically, there are no required
ciphers, only recommended ones.) If a TLS-capable server and
client can't find a common cipher to use, then they either have to
send data in the clear or drop the connection, which either kills
security or interoperability (take your pick)...
As much as I hate to say it, we're getting back to requiring Digest
alone (with the appropriate caveats in the implementer's guide).
Michael Sweet, Easy Software Products mike at easysw.com
Printing Software for UNIX http://www.easysw.com