Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Spec
    • Labels:
      None

      Description

      In the spec, it calls for a specific supported cipher quite for TLS. That includes an unencrypted variant, which is not a best practice. Consider eliminating that one. The only legitimate use cases for those are where the credentials are protected, but the payloads are not (for performance reasons). This only really makes sense when the end user knows the data being transferred is not sensitive. That will almost never be the case for a system implemented with this spec. If a "null" type cipher is desired by an implementer, that certainly may be added through extensibility. It should not be required for purposes of interoperability.

      This issue was raised by Ashok Malhotra and was drupal issue # 1090

        Attachments

          Activity

            People

            • Assignee:
              adrian.otto Adrian Otto (Inactive)
              Reporter:
              akarmark Anish Karmarkar
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: