W3C home > Mailing lists > Public > public-wsc-wg@w3.org > March 2007

RE: Produce material on name-based virtual hosting and TLS

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Tue, 6 Mar 2007 19:41:35 -0800
Message-ID: <198A730C2044DE4A96749D13E167AD3701147C62@MOU1WNEXMB04.vcorp.ad.vrsn.com>
To: "EKR" <ekr@networkresonance.com>
Cc: <public-wsc-wg@w3.org>

Does the protocol allow the client to state that it supports NBVH? If so the transition becomes smooth provided EV capable Web browsers also support NBVH as a matter of course. 

> -----Original Message-----
> From: EKR [mailto:ekr@networkresonance.com] 
> Sent: Tuesday, March 06, 2007 6:53 PM
> To: Hallam-Baker, Phillip
> Cc: public-wsc-wg@w3.org
> Subject: Re: Produce material on name-based virtual hosting and TLS 
> 
> Hallam-Baker, Phillip <pbaker@verisign.com> wrote:
> 
> > (cc'd to EKR for comment)
> >  
> > I thinbk we need a section 9.6 as follows
> >  
> > 9.6 Cryptographic protocol limitations
> >  
> > 9.6.1 Layering of HTTP on SSL requires a static IP address 
> per secured 
> > site
> >  
> > IPv4 address space is a finite and increasingly scarce 
> resource. In order to reduce pressure on the IPv4 address 
> space the HTTP/1.1 protocol allows multiple domains to be 
> hosted on a single IP address.
> >  
> > This feature is not fully supported when HTTP is layered on 
> SSL 3.0 or TLS 1.0. The HTTP URI or Host header specifying 
> the virtual domain to connect to is only transmitted after 
> the transport layer security negotiation is complete. This 
> configuration does not allow the server to vary the server 
> certificate presented unless a separate IP address is used per domain.
> >  
> > This restriction is lifted in RFC 4366 S 3.1. Clients that 
> verify that the domain name of the certificate matches the 
> domain name of the site should be encouraged to support this 
> extension.
> 
> 
> This seems pretty correct. It might be nice to mention that 
> servers can't safely use NBVH until client deployment becomes 
> ubiquitous.
> 
> -Ekr
> 
Received on Wednesday, 7 March 2007 03:41:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT