- From: Roy T. Fielding <roy.fielding@day.com>
- Date: Thu, 4 Dec 2003 14:03:29 -0800
- To: "Ian B. Jacobs" <ij@w3.org>
- Cc: Tim Bray <tbray@textuality.com>, "'www-tag@w3.org'" <www-tag@w3.org>
> I argued that the resource is the same whether secure > access is required or not. [One could argue with that > premise.] That premise has no basis in deployed implementations. They are distinct servers, distinct authorities, and therefore distinct resources. They may not even be controlled by the same organization. To imply that they are the same resource would lead one to assume that access to the same path via http port 80 would result in equivalent representations. If that other server is owned by a different organization, then the user is misled by such a statement in the architecture document. In TCP there is no such thing as a "server machine"; they are just listeners that receive messages as routed by the network infrastructure. I can route port 80 traffic to an entirely different continent from the machines handling the other ports. Even if we were to explicitly use port 80 in the https URI, the server software will distinguish between resources that are accessible via HTTP/TCP from those that are accessible via HTTP/TLS/TCP. Failing to do so would introduce security holes with virtual hosts. The browser should also consider it an error if the server does not negotiate a secure connection, since it has been instructed (by virtue of the "s") not to send the request on a non-encrypted transport. ....Roy
Received on Thursday, 4 December 2003 17:09:38 UTC