Re: Semantics of HTTPS

On 13/09/2012, at 3:49 PM, Poul-Henning Kamp <> wrote:

> In message <>, Mark Nottingham wri
> tes:
>> Should we state that the HTTPS URI scheme implies end-to-end security 
>> (i.e., between the user-agent and the origin server)?
> Given the current hostile actions in the certificate-space, I think such
> a statement should be footnoted with something like:
> 	Please notice that "end" in this context merely means "where
> 	the SSL/TLS session terminates".  Only proper handling and
> 	examination of the involved cryptographic keys can provide
> 	assurance that the other "end" is where it claims to be.

HTTPS isn't specific to TLS -- that's just one way to provide the semantics of the scheme. 

What you're saying is more like implementation notes -- useful, but probably doesn't belong in the spec.


Mark Nottingham

Received on Thursday, 13 September 2012 11:02:50 UTC