W3C home > Mailing lists > Public > uri@w3.org > June 2001

Re: fyi: should URIs convey protocol/service layering?

From: Al Gilman <asgilman@iamdigex.net>
Date: Sat, 16 Jun 2001 10:36:49 -0400
Message-Id: <200106161432.KAA703746@smtp2.mail.iamworld.net>
To: "Roy T. Fielding" <fielding@ebuilt.com>, Dan Connolly <connolly@w3.org>
Cc: uri@w3.org
At 08:56 PM 2001-06-15 , Roy T. Fielding wrote:
>> But folks have mostly avoided the practical side of
>> this issue by layering everything on top of http;
>> a noteable exception is https:, where I wish
>> we would have avoided putting the "secure" flag
>> in the name.
>But we could not have avoided that.  The security context must be established
>before the client uses the URL in any other way, which meant that an http URL
>cannot be used because of the risk of older browsers mistaking it for a
>request without secure communication.  

AG:: Can you expand on this last idea a bit?  Under what circumstances is the
URL not usable without a security failure?


>                                       An alternative could have been to use
>a compound URL, but like the "ssl" example above the result would be a lot
>of redundant information.  The only thing "saved" by doing so is the cost of
>adding a URL scheme to the namespace, which has proven to be of zero cost
>for those applications that are implemented in accordance with the WWW
>architecture, which expects the URI scheme namespace to be extensible.
>In fact, the advantage of using https over http.ssl is that we can now
>negotiate the security context rather than assume it is SSLv1.
>In any case, http and https define two entirely different naming authorities,
>even when their implementations reside on the same machine.  It therefore
>makes sense that they be different schemes.
Received on Saturday, 16 June 2001 10:32:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:03 UTC