W3C home > Mailing lists > Public > uri@w3.org > August 2003

Re: URI scheme listing for httpsy

From: Tyler Close <tyler@waterken.com>
Date: Thu, 14 Aug 2003 10:27:49 -0400
To: uri@w3.org
Message-Id: <E19nJ4x-0001T2-00@canteen>

On Thursday 14 August 2003 03:32, Larry Masinter wrote:
> Why again isn't this an extension to https?

It is. See:


> Why does it need its own scheme?

For fail-safe use of the authentication protocol.

The specification defines an authentication protocol and two URI
schemes: one for fail-open use and one for fail-safe use. The
fail-open URI scheme, the https *-subset, preserves connectivity
with old client software, but does not guarantee that the security
properties provided by the HTTPSY protocol are in effect. The
fail-safe URI scheme, httpsy, does make this guarantee, but at the
cost of breaking connectivity with old client software.

The https *-subset is only provided as a temporary bridge to
enable deployment of HTTPSY server applications during the rollout
of HTTPSY client applications. A gradual migration to httpsy URLs
is expected.

> You write
> "When interpreted by an HTTPSY-unaware client, etc. etc."
> but how can you give rules for what a client should
> do, if the client doesn't pay attention to the rules
> in this document?

The full text of this constraint is:

"When interpreted by an HTTPSY-unaware client, the semantics for
this scheme are the same as for the https scheme. The *key_id@
portion of the URL MUST be ignored."

As you can see, the specified behaviour is exactly the behaviour
of existing https clients. The constraint does not place any new
requirements on existing https clients. The purpose of the
constraint is only to specify the https client behaviour that the
https *-subset specification relies upon.


The union of REST and capability-based security:
Received on Thursday, 14 August 2003 10:50:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:06 UTC