W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: Keith Moore <moore@cs.utk.edu>
Date: Thu, 14 Jun 2007 16:19:20 -0400
Message-ID: <4671A2C8.6050509@cs.utk.edu>
To: "tom.petch" <cfinss@dial.pipex.com>
CC: Adrien de Croy <adrien@qbik.com>, Apps Discuss <discuss@apps.ietf.org>, ietf-http-wg@w3.org

>> how exactly does sending TLS credentials involve ferreting around in the
>> depths of a network stack?
> It doesn't:-)  Those responsible for the creation and maintenance of security
> credentials - which I see as the major ongoing work of security - prefer to do
> at an application level, using appropriate databases, which are
> somewhat removed from the lower layers in which TLS sits.  So TLS has a
> different set of credentials or none, which is the problem that channel binding
> overcomes.
maybe what I think of as "application level" is different than how you
think of this term, but I've never heard of a client application that
uses TLS where TLS wasn't being called by the application, and where the
application wasn't in a position to supply credentials via TLS to the

I'm not trying to be picky here.  Rather I think there's probably an
important principle here that needs to be teased out.

Received on Thursday, 14 June 2007 20:43:04 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:23 UTC