Re: URI scheme listing for httpsy from Tyler Close on 2003-08-15 (uri@w3.org from August 2003)

From: Tyler Close <tyler@waterken.com>
Date: Fri, 15 Aug 2003 15:58:26 -0400
To: uri@w3.org
Message-Id: <E19nkiS-0001x6-00@canteen>
On Thursday 14 August 2003 21:15, Larry Masinter wrote:
> Let me try to be more direct.
>
> The interesting policy document here is RFC 3205, section 4:
>
>    Note that the convention of appending an "s" to the URL scheme to
>    mean "use TLS or SSL" (as in "http:" vs "https:") is nonstandard and
>    of limited value.  For most applications, a single "use TLS or SSL"
>    bit is not sufficient to adequately convey the information that a
>    client needs to authenticate itself to a server, even if it has the
>    proper credentials.  For instance, in order to ensure that adequate
>    security is provided with TLS an application may need to be
>    configured with a list of acceptable ciphersuites, or with the client
>    certificate to be used to authenticate to a particular server.  When
>    it is necessary to specify authentication or other connection setup
>    information in a URL these should be communicated in URL parameters,
>    rather than in the URL prefix.
>
> Why is httpsy different?

I suspect you have misunderstood the purpose of the HTTPSY
protocol.

The HTTPSY protocol is not aimed at providing client
authentication, nor at providing additional connection setup
information. The purpose of the HTTPSY protocol is to use a public
key fingerprint as the URL authority *instead of* a domain name.

The HTTPSY spec says:

"The semantics are that the identified resource is located at the
server possessing the private key corresponding to the public key
whose hash is provided in the URL. The host is merely a hint as to
how the server may be contacted."

See: http://www.waterken.com/dev/YURL/httpsy/#The_httpsy_scheme

Your quoted section of RFC 3205 is targeted at protocols that make
further use of the PKI. The HTTPSY protocol aims to replace the
PKI, not to specify additional parameters for using it. Thus, the
quoted section does not apply to HTTPSY.

A more relevant section of RFC 3205 is section 2.3 on Security. In
this section, RFC 3205 says the following about the PKI:

   This scheme does not work as well to authenticate millions of
   potential clients to servers.  It would take a much larger number of
   CAs to do the job, each of which would need to be widely trusted by
   servers.  Those CAs would also have a more difficult time verifying
   the identities of (large numbers of) ordinary users than they do in
   verifying the identities of (a smaller number of) commercial and
   other enterprises that need to run secure web servers.

The same argument also applies to authenticating millions of
potential servers to clients. The HTTPSY protocol solves this
problem by providing a model that does not require CAs.

Tyler
Received on Friday, 15 August 2003 16:20:40 UTC