- From: John Stracke <francis@netscape.com>
- Date: Mon, 12 Oct 1998 19:43:45 +0000
- To: WEBDAV WG <w3c-dist-auth@w3.org>
Jim Whitehead forwarded: > From: moore@cs.utk.edu [mailto:moore@cs.utk.edu] [...] > 3. [nit] Is the reference for Dublin Core [Weibel et. al.], equivalent > to RFC 2413? If so, we'd prefer that to just a URL. Note that RFC 2413 includes a URL to DC's site; would that be enough? > 8. We've basically decided not to publish the UUID/GUID draft because > it would define the same thing as an existing ISO document, except in > a slightly different way. So you need to reference the ISO document's > definition of UUIDs. Gack. > 11. on the use of URLs as XML namespaces: there's a scalability and > reliability issue if any particular URIs used as namespace names are > distributed in products that are widely used, and they may not work if > used on private nets not connected to the Internet. We don't write anything that would suggest a client might dereference a namespace URL, do we? > 17. section 16.1: > > TLS doesn't inherently provide a secure connection, as TLS allows use > of insecure ciphersuites. TLS is "secure" only if strong ciphersuites > are used (40 bit ciphersuites are certainly not secure enough for > passwords that might be reused in other contexts), and I believe you > need to have mutual authentication to thwart man-in-the-middle > attacks. (I might be wrong about the latter - server-to-client > authentication might be sufficient to prevent man-in-the-middle > attacks) I'm pretty sure server-to-client is meant to be sufficient. Existing SSL clients (well, Navigator, anyway :-) have to deal with this problem when running through a proxy. Navigator connects to the proxy and issues a CONNECT request, which tells the proxy to open up a connection to the server and relay bits untouched. If man-in-the-middle were a problem, the proxy would need to be trusted, in which case we wouldn't need a CONNECT; we could proxy https: just like http:. That being said, I don't know the details of SSL, and still less those of TLS; I may be missing something. -- /====================================================================\ |John (Francis) Stracke |My opinions are my own.|S/MIME supported | |Software Retrophrenologist|=========================================| |Netscape Comm. Corp. | Don't anthropomorphize computers. | |francis@netscape.com | They don't like it. | \====================================================================/ New area code for work number: 650
Received on Monday, 12 October 1998 15:51:14 UTC