This request does not propose a specific solution, but encourages further comment and provides examples to encourage such discussion.

The team might consider adding informative text to the spec or companion "best practices" document to assist with "spec interpretation"/implementation and compatibility.

For example, best practices might indicate the following.

1. When a PENS 1.5.xsystem issuing a PENS collect command is transporting an "older" package format (aicc-pkg, scorm-pif, ims-qti) the issuing system should initially attempt to do both of the following:

   a). Adhere to PENS 1.5.X security practices for endpoints (e.g., use TLS, per Issue #4)

   b). Specify pens-version of 1.0.0 to provide broader compatibility to issue to either a 1.0.0 PENS-compliant system or a PENS 1.5.x compliant system.

2. When a PENS 1.5.x compliant system is receiving a PENS collect command and receives an endpoint URL that does not use encrypted transport, it should examine the pens-version and then:

   a). if the received pens-version is 1.0.0 it should accept the command and provide a warning regarding unencrypted transfer

   b). if the received pens-version is 1.5.0 it should reject the command and return an error