W3C home > Mailing lists > Public > www-tag@w3.org > March 2006

Re: The 's' in https: more trouble than it's worth? [metadataInURI-31, schemeProtocols-49]

From: Dan Connolly <connolly@w3.org>
Date: Mon, 20 Mar 2006 14:23:56 -0600
To: Mark Baker <distobj@acm.org>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, www-tag <www-tag@w3.org>
Message-Id: <1142886236.12963.102.camel@dirk.w3.org>

On Mon, 2006-03-20 at 15:12 -0500, Mark Baker wrote:
> On 3/20/06, Dan Connolly <connolly@w3.org> wrote:
> > >   https is still needed to inform the client that privacy
> > > is needed.  Upgrade only removes the need for a separate port.  I
> > > explained it in detail when BEEP had the same issue, but I don't know
> > > where the archives of that list went.
> >
> > Yet another reason to make this argument easier to find.
> No luck in the HTTP-WG archives, but here's a message by Roy on the BEEP list;
> http://drakken.dbc.mtview.ca.us/pipermail/beepwg/2001-June/001151.html

Thanks. 1 bonus point.

... The client must know whether or not the
connection must be secured before it makes the first resource request of
the server.  In order to know that, the information must be in the URI.
The mechanism used to establish the secure session might be present
in the protocol, as it is with HTTP/1.1 Upgrade, but the decision to make
that upgrade mandatory prior to sending any sensitive information is
something that the client must make using only the URI as a guide.

The IESG objected to multiple TCP ports per protocol, not multiple
scheme names.  There is no reason why a new "s" scheme cannot be defined
with the same default port as the normal scheme, just as there is no
reason why https services cannot be located on port 80.  The client,
however, still needs the distinct schemes in order to know how it
should contact the server.  https, in particular, not only requires
that contact with the naming authority be secure, it also requires that
all application hops along the way to the naming authority be secure,
and further that nothing on that chain be cachable by default.  https
therefore defines much more than simply HTTP over SSL.

> which is part of this interesting thread;
> http://drakken.dbc.mtview.ca.us/pipermail/beepwg/2001-June/thread.html#1118

Another bonus point.

I read a few messages in that thread, but it looks quite long.

I offer a 40 point bonus for a summary of the thread with respect to
TAG issues. :)

Some bits that pop out at me...

" The URI scheme doesn't refer to the protocol."
 (I expect Noah will want to ponder that one. Ah... that's
another TAG issue... schemeProtocols-49)

[[The URI scheme should
answer the question of "what application interface should I expect?",
which is a a lot more than "what protocol should I use?".]]
 -- ibid

Dan Connolly, W3C http://www.w3.org/People/Connolly/
D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E
Received on Monday, 20 March 2006 20:24:05 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:48 UTC