Produce material on name-based virtual hosting and TLS from Hallam-Baker, Phillip on 2007-03-06 (public-wsc-wg@w3.org from March 2007)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Tue, 6 Mar 2007 15:14:39 -0800
To: <public-wsc-wg@w3.org>
Cc: "EKR" <ekr@networkresonance.com>
Message-ID: <198A730C2044DE4A96749D13E167AD3701147C45@MOU1WNEXMB04.vcorp.ad.vrsn.com>

(cc'd to EKR for comment)
 
I thinbk we need a section 9.6 as follows
 
9.6 Cryptographic protocol limitations 
 
9.6.1 Layering of HTTP on SSL requires a static IP address per secured site
 
IPv4 address space is a finite and increasingly scarce resource. In order to reduce pressure on the IPv4 address space the HTTP/1.1 protocol allows multiple domains to be hosted on a single IP address.
 
This feature is not fully supported when HTTP is layered on SSL 3.0 or TLS 1.0. The HTTP URI or Host header specifying the virtual domain to connect to is only transmitted after the transport layer security negotiation is complete. This configuration does not allow the server to vary the server certificate presented unless a separate IP address is used per domain.
 
This restriction is lifted in RFC 4366 S 3.1. Clients that verify that the domain name of the certificate matches the domain name of the site should be encouraged to support this extension.

Received on Tuesday, 6 March 2007 23:14:54 UTC