W3C home > Mailing lists > Public > www-tag@w3.org > December 2003

Re: Section on https

From: Roy T. Fielding <roy.fielding@day.com>
Date: Thu, 4 Dec 2003 14:03:29 -0800
Cc: Tim Bray <tbray@textuality.com>, "'www-tag@w3.org'" <www-tag@w3.org>
To: "Ian B. Jacobs" <ij@w3.org>
Message-Id: <B158E660-26A5-11D8-960B-000393753936@day.com>

>     I argued that the resource is the same whether secure
>     access is required or not. [One could argue with that
>     premise.]

That premise has no basis in deployed implementations.  They are
distinct servers, distinct authorities, and therefore distinct
resources.  They may not even be controlled by the same organization.
To imply that they are the same resource would lead one to assume
that access to the same path via http port 80 would result in
equivalent representations.  If that other server is owned by a
different organization, then the user is misled by such a statement
in the architecture document.

In TCP there is no such thing as a "server machine"; they are just
listeners that receive messages as routed by the network infrastructure.
I can route port 80 traffic to an entirely different continent from
the machines handling the other ports.

Even if we were to explicitly use port 80 in the https URI, the
server software will distinguish between resources that are
accessible via HTTP/TCP from those that are accessible via
HTTP/TLS/TCP.  Failing to do so would introduce security holes
with virtual hosts.  The browser should also consider it an error
if the server does not negotiate a secure connection, since it
has been instructed (by virtue of the "s") not to send the
request on a non-encrypted transport.

....Roy
Received on Thursday, 4 December 2003 17:09:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:23 GMT