W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: [Fwd: SEC - Protocol names for security protocols]

From: Dan Connolly <connolly@w3.org>
Date: Fri, 28 Feb 1997 14:35:55 -0600
Message-Id: <331741AB.216A0B2D@w3.org>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: http-wg@cuckoo.hpl.hp.com
Larry Masinter wrote:
> Date: Fri, 28 Feb 1997 11:32:57 PST
> From: Carl-Uno Manros <cmanros@cp10.es.xerox.com>
...

>I believe that if SSL is used in combination with HTTP it
> is currently identified with "SHTTP" in the URL rather than just "HTTP". Is
> this correct?

Nope. SHTTP is the Shiffman et. al. protocol.

HTTP over SSL is https:...

I don't have exact citations, nor do I have time to look
them up.

If anybody else does, I'm interested: I maintain:

	http://www.w3.org/pub/WWW/Addressing/schemes

>Our
> assumption is that once you are in the secure protocol, you can then
> negotiate which security features within that protocol you want to use.

Yes, due to the possibility of man-in-the-middle attacks,
"bootstrapping" security is quite difficult: you can't just
take cleartext declarations of the form "printer X does/does not
support security mechanism Y" and act on them. You have to
have some way of authenticating even that first step.

So you really need a protocol with message integrity before
you can even start negotiating.

You could get security declarations (and key/certificate material)
out of authenticated
body parts (e.g. HTML docs) sent over HTTP using MD5-auth or
some such. Hmmm...

Dan
Received on Friday, 28 February 1997 12:40:39 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:30 EDT