- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Tue, 6 Mar 2007 19:41:35 -0800
- To: "EKR" <ekr@networkresonance.com>
- Cc: <public-wsc-wg@w3.org>
Does the protocol allow the client to state that it supports NBVH? If so the transition becomes smooth provided EV capable Web browsers also support NBVH as a matter of course. > -----Original Message----- > From: EKR [mailto:ekr@networkresonance.com] > Sent: Tuesday, March 06, 2007 6:53 PM > To: Hallam-Baker, Phillip > Cc: public-wsc-wg@w3.org > Subject: Re: Produce material on name-based virtual hosting and TLS > > Hallam-Baker, Phillip <pbaker@verisign.com> wrote: > > > (cc'd to EKR for comment) > > > > I thinbk we need a section 9.6 as follows > > > > 9.6 Cryptographic protocol limitations > > > > 9.6.1 Layering of HTTP on SSL requires a static IP address > per secured > > site > > > > IPv4 address space is a finite and increasingly scarce > resource. In order to reduce pressure on the IPv4 address > space the HTTP/1.1 protocol allows multiple domains to be > hosted on a single IP address. > > > > This feature is not fully supported when HTTP is layered on > SSL 3.0 or TLS 1.0. The HTTP URI or Host header specifying > the virtual domain to connect to is only transmitted after > the transport layer security negotiation is complete. This > configuration does not allow the server to vary the server > certificate presented unless a separate IP address is used per domain. > > > > This restriction is lifted in RFC 4366 S 3.1. Clients that > verify that the domain name of the certificate matches the > domain name of the site should be encouraged to support this > extension. > > > This seems pretty correct. It might be nice to mention that > servers can't safely use NBVH until client deployment becomes > ubiquitous. > > -Ekr >
Received on Wednesday, 7 March 2007 03:41:50 UTC