- From: David P. Kemp <dpkemp@missi.ncsc.mil>
- Date: Wed, 5 Feb 1997 14:58:01 -0500
- To: ietf-tls@w3.org
> From: "Alan O. Freier" <freier@netscape.com> > What Tom was referring to is trying to use a single port number and > determining through some lazy evaluation function whether or not the > association was secure. I think the question is do we need IANA to be the "some alternate protocol" that defines the stack which is operating on a particular port. My contention is that formal registration is not needed. The only advantage of a well known number for SSL is to allow "https://foo.com:443" to be abbreviated to "https://foo.com". Given that port 80 is already well known and established as a rendezvous point, even sites who's security policy requires SSL for everything could use http on port 80 to redirect all connections to https on some other port. That some other port does not have to be well-known. Registration of 443 with IANA neither requires connections on port 443 to use SSL nor prohibits connections on other ports from using SSL. Thus the decision on whether or not to register with IANA cannot be justified by using arguments related to security. Tom's question, "I have a connection on port xxx - is it secure or not?" may be easy or difficult or impossible to answer. But my point is that his question is irrelevant to the issue of whether to register well-known ports for SSL, and invoking security arguments to answer a non-security-relevent question is a non-sequitur.
Received on Wednesday, 5 February 1997 14:59:12 UTC