- From: Dan Connolly <connolly@w3.org>
- Date: Fri, 28 Feb 1997 14:35:55 -0600
- To: Larry Masinter <masinter@parc.xerox.com>
- Cc: http-wg@cuckoo.hpl.hp.com
Larry Masinter wrote: > Date: Fri, 28 Feb 1997 11:32:57 PST > From: Carl-Uno Manros <cmanros@cp10.es.xerox.com> ... >I believe that if SSL is used in combination with HTTP it > is currently identified with "SHTTP" in the URL rather than just "HTTP". Is > this correct? Nope. SHTTP is the Shiffman et. al. protocol. HTTP over SSL is https:... I don't have exact citations, nor do I have time to look them up. If anybody else does, I'm interested: I maintain: http://www.w3.org/pub/WWW/Addressing/schemes >Our > assumption is that once you are in the secure protocol, you can then > negotiate which security features within that protocol you want to use. Yes, due to the possibility of man-in-the-middle attacks, "bootstrapping" security is quite difficult: you can't just take cleartext declarations of the form "printer X does/does not support security mechanism Y" and act on them. You have to have some way of authenticating even that first step. So you really need a protocol with message integrity before you can even start negotiating. You could get security declarations (and key/certificate material) out of authenticated body parts (e.g. HTML docs) sent over HTTP using MD5-auth or some such. Hmmm... Dan
Received on Friday, 28 February 1997 12:40:39 UTC