- From: <noah_mendelsohn@us.ibm.com>
- Date: Fri, 9 Mar 2007 13:39:14 -0500
- To: Jon Hanna <jon@hackcraft.net>
- Cc: Chris Wilper <cwilper@cs.cornell.edu>, Jacek Kopecky <jacek.kopecky@deri.org>, Tim Berners-Lee <timbl@w3.org>, www-tag@w3.org
Jon Hanna writes > The fact that HTTPS is defined and named differently I don't think is > clean. (IIRC, it would now be against IESG policy to give it a different > port number to HTTP and I understand [though my knowledge here isn't > great, and I'll be dropping out of this thread once it's gone past > blue-sky suggestions] that this isn't unrelated to the lack of > cleanliness here). If you're referring to the fact that the https URI scheme is different than the http scheme, I believe there are some good reasons. A scheme establishes the association between URIs constructed with that schemes and resources. The social contract, if you will, implied by https URIs is somewhat different than that of http URIs, even though they are structurally identical, and often are appropriately used for the same sorts of resources. The difference is that when I give you an https URI, it's understood that the association between URI and resource is what HTTPS gives you. So, for example, it's understood that a degree of authentication is involved in successful resolution, and thus that the association is not vulernable to certain sorts of errors or malicious attacks. That level of robustness is not implicit in identification of a resource using the http scheme, even though in the absence of errors or attacks the two might do equally well and produce similar results. The space of resources designated by the https scheme is not the same space as the one designated by the http scheme, or that's my understanding anyway. -------------------------------------- Noah Mendelsohn IBM Corporation One Rogers Street Cambridge, MA 02142 1-617-693-4036 --------------------------------------
Received on Friday, 9 March 2007 18:39:29 UTC