David, > If this is changed to a MUST, Facebook will be in violation of the > specification moving forward. It is untenable to require all of our > *client* developers to implement TLS endpoints though we certainly > support developers who wish to do so. This is very different than > offerring our entire API (and now site as opt-in) over TLS as the > server.
Why is it untenable? Is it because of the cost of a certificate? Many CAs offer certifcates for less $100, and there are free certificates. See http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers. Is it because of the cost of hosting an SSL site? You can have your own virtual server at Amazon for $14 a month. Is it because of the inconvenience of having to spend a few hours getting a certificate and adding SSL to your site? And how about putting your users and your data at risk? Is that tenable? Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
