- From: Dan Connolly <connolly@w3.org>
- Date: Mon, 20 Mar 2006 14:23:56 -0600
- To: Mark Baker <distobj@acm.org>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, www-tag <www-tag@w3.org>
On Mon, 2006-03-20 at 15:12 -0500, Mark Baker wrote: > On 3/20/06, Dan Connolly <connolly@w3.org> wrote: > > > https is still needed to inform the client that privacy > > > is needed. Upgrade only removes the need for a separate port. I > > > explained it in detail when BEEP had the same issue, but I don't know > > > where the archives of that list went. > > > > Yet another reason to make this argument easier to find. > > No luck in the HTTP-WG archives, but here's a message by Roy on the BEEP list; > > http://drakken.dbc.mtview.ca.us/pipermail/beepwg/2001-June/001151.html Thanks. 1 bonus point. [[ ... The client must know whether or not the connection must be secured before it makes the first resource request of the server. In order to know that, the information must be in the URI. The mechanism used to establish the secure session might be present in the protocol, as it is with HTTP/1.1 Upgrade, but the decision to make that upgrade mandatory prior to sending any sensitive information is something that the client must make using only the URI as a guide. The IESG objected to multiple TCP ports per protocol, not multiple scheme names. There is no reason why a new "s" scheme cannot be defined with the same default port as the normal scheme, just as there is no reason why https services cannot be located on port 80. The client, however, still needs the distinct schemes in order to know how it should contact the server. https, in particular, not only requires that contact with the naming authority be secure, it also requires that all application hops along the way to the naming authority be secure, and further that nothing on that chain be cachable by default. https therefore defines much more than simply HTTP over SSL. ]] > which is part of this interesting thread; > > http://drakken.dbc.mtview.ca.us/pipermail/beepwg/2001-June/thread.html#1118 Another bonus point. I read a few messages in that thread, but it looks quite long. I offer a 40 point bonus for a summary of the thread with respect to TAG issues. :) Some bits that pop out at me... " The URI scheme doesn't refer to the protocol." -- http://drakken.dbc.mtview.ca.us/pipermail/beepwg/2001-June/001123.html (I expect Noah will want to ponder that one. Ah... that's another TAG issue... schemeProtocols-49) [[The URI scheme should answer the question of "what application interface should I expect?", which is a a lot more than "what protocol should I use?".]] -- ibid -- Dan Connolly, W3C http://www.w3.org/People/Connolly/ D3C2 887B 0F92 6005 C541 0875 0F91 96DE 6E52 C29E
Received on Monday, 20 March 2006 20:24:05 UTC