1 Jul 2009 16:50
Re: Updating the requirements draft
Enrico Marocco <enrico.marocco <at> telecomitalia.it>
2009-07-01 14:50:11 GMT
2009-07-01 14:50:11 GMT
John Leslie wrote: > I see very little need to state that in a "requirements" draft (or, > really, in any ALTO document), but if we were to go that far, I would > want to add language to the effect that if the provider's ALTO server > _doesn't_ provide the information, other ALTO servers are likely to use > estimates obtained by other means. Yep, that would be quite in the spirit of my initial comment. > I recommend we go no farther than to say that privacy concerns > between a provider and customer are outside the scope of this work. > (Let the market work out what the balance should be.) Agreed. However, the protocol should provide at least basic mechanisms to deal with privacy. Right now we have a requirement for support of mutual authentication for clients and servers. Is that enough? While probably servers should always be authenticated, in some cases clients may prefer to avoid explicit authentication and have privacy addressed on a network location basis. Of course, if we decide to address such cases, there are implications we cannot ignore (e.g. we should define mandatory behavior for intermediaries, or discourage/forbid intermediaries at all). > I do not agree with the "should" in: > " > " a server should take care of disclosing sensible information only to > " the clients that information is about That was actually not 2119 speak meant to go in any IETF document, just a general consideration for whatever value of "sensible information" seems appropriate ;) -- -- Ciao, Enrico
_______________________________________________ alto mailing list alto <at> ietf.org https://www.ietf.org/mailman/listinfo/alto
RSS Feed