- From: Al Gilman <asgilman@iamdigex.net>
- Date: Sat, 16 Jun 2001 10:36:49 -0400
- To: "Roy T. Fielding" <fielding@ebuilt.com>, Dan Connolly <connolly@w3.org>
- Cc: uri@w3.org
At 08:56 PM 2001-06-15 , Roy T. Fielding wrote: > >> But folks have mostly avoided the practical side of >> this issue by layering everything on top of http; >> a noteable exception is https:, where I wish >> we would have avoided putting the "secure" flag >> in the name. > >But we could not have avoided that. The security context must be established >before the client uses the URL in any other way, which meant that an http URL >cannot be used because of the risk of older browsers mistaking it for a normal >request without secure communication. AG:: Can you expand on this last idea a bit? Under what circumstances is the URL not usable without a security failure? Al > An alternative could have been to use >a compound URL, but like the "ssl" example above the result would be a lot >of redundant information. The only thing "saved" by doing so is the cost of >adding a URL scheme to the namespace, which has proven to be of zero cost >for those applications that are implemented in accordance with the WWW >architecture, which expects the URI scheme namespace to be extensible. >In fact, the advantage of using https over http.ssl is that we can now >negotiate the security context rather than assume it is SSLv1. > >In any case, http and https define two entirely different naming authorities, >even when their implementations reside on the same machine. It therefore >makes sense that they be different schemes. > >....Roy >
Received on Saturday, 16 June 2001 10:32:31 UTC