Re: TWO WEEK LAST CALL: Regularizing Port Numbers for SSL.

> From: "Alan O. Freier" <>
> What Tom was referring to is trying to use a single port number and
> determining through some lazy evaluation function whether or not the
> association was secure.

I think the question is do we need IANA to be the "some alternate protocol"
that defines the stack which is operating on a particular port.  My
contention is that formal registration is not needed.  The only advantage
of a well known number for SSL is to allow "" to be
abbreviated to "".  Given that port 80 is already well
known and established as a rendezvous point, even sites who's security
policy requires SSL for everything could use http on port 80 to redirect
all connections to https on some other port.  That some other port does
not have to be well-known.

Registration of 443 with IANA neither requires connections on port 443
to use SSL nor prohibits connections on other ports from using SSL.
Thus the decision on whether or not to register with IANA cannot be
justified by using arguments related to security.

Tom's question, "I have a connection on port xxx - is it secure or not?"
may be easy or difficult or impossible to answer.

But my point is that his question is irrelevant to the issue of whether
to register well-known ports for SSL, and invoking security arguments
to answer a non-security-relevent question is a non-sequitur.

Received on Wednesday, 5 February 1997 14:59:12 UTC