W3C home > Mailing lists > Public > uri@w3.org > August 2003

RE: URI scheme listing for httpsy

From: Larry Masinter <LMM@acm.org>
Date: Thu, 14 Aug 2003 18:15:10 -0700
To: "'Tyler Close'" <tyler@waterken.com>, uri@w3.org
Message-id: <005e01c362ca$abe47da0$faa52099@MasinterT40>

Let me try to be more direct.

The interesting policy document here is RFC 3205, section 4:

   Note that the convention of appending an "s" to the URL scheme to
   mean "use TLS or SSL" (as in "http:" vs "https:") is nonstandard and
   of limited value.  For most applications, a single "use TLS or SSL"
   bit is not sufficient to adequately convey the information that a
   client needs to authenticate itself to a server, even if it has the
   proper credentials.  For instance, in order to ensure that adequate
   security is provided with TLS an application may need to be
   configured with a list of acceptable ciphersuites, or with the client
   certificate to be used to authenticate to a particular server.  When
   it is necessary to specify authentication or other connection setup
   information in a URL these should be communicated in URL parameters,
   rather than in the URL prefix.

Why is httpsy different?

Larry
-- 
http://larry.masinter.net
Received on Friday, 15 August 2003 15:05:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 January 2011 12:15:32 GMT