In the spec, it calls for a specific supported cipher quite for TLS. That includes an unencrypted variant, which is not a best practice. Consider eliminating that one. The only legitimate use cases for those are where the credentials are protected, but the payloads are not (for performance reasons). This only really makes sense when the end user knows the data being transferred is not sensitive. That will almost never be the case for a system implemented with this spec. If a "null" type cipher is desired by an implementer, that certainly may be added through extensibility. It should not be required for purposes of interoperability.

This issue was raised by Ashok Malhotra and was drupal issue # 1090