Responding to Dave’s point:
> But even just a simple binary switch on *sending* IEP-marked data seems more sensible than relying on the receiver to filter out thing they shouldn't have received in the first place.
This is feasible from an ACL perspective, but not from a software capability perspective. As a sender of information, I know which user accounts have which permissions, and can control access accordingly. I have no way of knowing if the receiving software will honor the IEP markings, unless it is mandated in the spec. Maybe we are talking about the same thing. I agree with only sending marked data to those who have permission to get it. However, how will I know if the person/org with permission has _software_ that’s capable of processing what I’m sending? I know of two ways – content negotiation and rules in the spec.
Dave Cridland
Participate | Collaborate | Innovate