The short answer to the enclosed query is "the HTTP working group
hasn't addressed this issue". I actually think that we may have
some responsibility to deal with the https/shttp issues, though,
and thus I'd like to see some discussion of this on the working
group mailing list. Opinions?
--
http://www.parc.xerox.com/masinter
Forwarded message 1
Larry,
we have had a discussion in the IPP security sbgroup, which has resulted in
a question for you.
We need some way of signalling whether a particular printer optionally
supports or even enforces the use of a secure protocol in combination with
IPP.
Examples that we are looking at include RFC 2069 security and the various
versions of SSL. I believe that if SSL is used in combination with HTTP it
is currently identified with "SHTTP" in the URL rather than just "HTTP". Is
this correct?
If we could assume that all security protocols used with HTTP would carry
their own protocol names, it would make life a lot simpler for us. As we
are planning to identify printers with a URL address, we would then give a
printer that can handle both secure and non-secure print requests two URL
names, one with "HTTP://..." and one with "SHTTP://...." and the IPP client
can then invoke operations on one or the other. A printer that only
supports secure printing, would obviously only have an "SHTTP://..." address.
So I am back to our question: Can we assume that secure versions of HTTP
will always have separate names, eg. what is planned for RFC 2069? Our
assumption is that once you are in the secure protocol, you can then
negotiate which security features within that protocol you want to use.
You may want to forward this note to the HTTP list, in case you do not have
an easy answer.
Thankful for your feedback,
Carl-Uno
Carl-Uno Manros
Principal Engineer - Advanced Printing Standards - Xerox Corporation
701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231
Phone +1-310-333 8273, Fax +1-310-333 5514
Email: manros@cp10.es.xerox.com