On 10/08/12 00:03, Alexey Melnikov wrote:
On 02/08/2012 10:46, Ben Campbell wrote:
Hi, thanks for the response. Comments inline:
On Jul 29, 2012, at 10:29 PM, =JeffH <Jeff(_dot_)Hodges(_at_)kingsmountain(_dot_)com>
wrote:
[...]
-- section 7.2:
Am I correct to assume that the server must never just serve the
content over
a non-secure connection? If so, it would be helpful to mention
that, maybe
even normatively.
It's a SHOULD, see the Note in that section, so it's already
effectively stated normatively, though one needs to understand HTTP
workings to realize it in the way you stated it above. Perhaps could
add a simple statement as you suggest to the intro para for section
7 Server Processing Model, to address this concern?
I think something of the form SHOULD redirect to HTTPS, but MUST NOT
under any circumstances send the content unprotected would improve
the text.
Sounds good to me. (And yes, this is implied, but it doesn't hurt to
state explicitly.)
That's probably already implied, and a reasonable implementor
wouldn't due it anyway. But my experience is that some readers will
find strange interpretations whenever you give them the wiggle room
to do so, so it's better to be explicit.
<hat="individual">
Agree with Alexey and Ben. Tobias