- From: Larry Masinter <LMM@acm.org>
- Date: Thu, 14 Aug 2003 18:15:10 -0700
- To: "'Tyler Close'" <tyler@waterken.com>, uri@w3.org
Let me try to be more direct. The interesting policy document here is RFC 3205, section 4: Note that the convention of appending an "s" to the URL scheme to mean "use TLS or SSL" (as in "http:" vs "https:") is nonstandard and of limited value. For most applications, a single "use TLS or SSL" bit is not sufficient to adequately convey the information that a client needs to authenticate itself to a server, even if it has the proper credentials. For instance, in order to ensure that adequate security is provided with TLS an application may need to be configured with a list of acceptable ciphersuites, or with the client certificate to be used to authenticate to a particular server. When it is necessary to specify authentication or other connection setup information in a URL these should be communicated in URL parameters, rather than in the URL prefix. Why is httpsy different? Larry -- http://larry.masinter.net
Received on Friday, 15 August 2003 15:05:10 UTC