On 02/08/2012 10:46, Ben Campbell wrote:
Hi, thanks for the response. Comments inline:
On Jul 29, 2012, at 10:29 PM, =JeffH
<Jeff(_dot_)Hodges(_at_)kingsmountain(_dot_)com> wrote:
[...]
-- section 7.2:
Am I correct to assume that the server must never just serve the content over
a non-secure connection? If so, it would be helpful to mention that, maybe
even normatively.
It's a SHOULD, see the Note in that section, so it's already effectively stated
normatively, though one needs to understand HTTP workings to realize it in the
way you stated it above. Perhaps could add a simple statement as you suggest
to the intro para for section 7 Server Processing Model, to address this
concern?
I think something of the form SHOULD redirect to HTTPS, but MUST NOT under any
circumstances send the content unprotected would improve the text.
Sounds good to me. (And yes, this is implied, but it doesn't hurt to
state explicitly.)
That's probably already implied, and a reasonable implementor wouldn't due it
anyway. But my experience is that some readers will find strange
interpretations whenever you give them the wiggle room to do so, so it's better
to be explicit.