- From: Michael Brunnbauer <brunni@netestate.de>
- Date: Sun, 24 Aug 2014 02:32:32 +0200
- To: Tim Berners-Lee <timbl@w3.org>
- Cc: Public TAG List <www-tag@w3.org>, SW-forum Web <semantic-web@w3.org>
- Message-ID: <20140824003232.GA32028@netestate.de>
Hello Tim, >I'm not sure I understand your argument. >That's fine if they have the same content for http and https It boils down to Roy Fielding's argument that there has never been any shared authority between a site on port 80 and a site on 443 - which is solidified in Apache configuration: You classically configure both sites separately and I think today there is still no way to avoid that. So if an administrator has 10 HTTP/1.1 sites on the same IP and wants to add a https version of one of those sites, what does he do? Will he create a SSL version for every site in the configuration although all but one of them will be useless and lead to a certificate error? Of course not. So 9 of the 10 sites will not have the same content for http and https (and yield a common name mismatch). You may argue that agents could check if the certificate common name matches the hostname but this does not seem feasible for the whole range of agents to me and mixes things that maybe should be kept apart. How many current SSL libraries will still throw an error at the common name mismatch if certificates from unknown authorities are allowed? What if the administrator only wants to secure a form or a shop checkout and does not bother to copy the whole site configuration for http into the https version? 10 of the 10 sites will not have the same content for http and https. >I am just saying that if >https://foo.com/bar and http://foo.com/bar both exist, then they should be able to use the content of the https://foo.com/bar page when I am looking for the http://foo.com/bar page. Would this also apply for 40x errors? That would enable any website A to break another website B that has different content on http and https: Just include some inline https URLs from B that 404 but are present and needed in the http version. What you are saying can also become something different in practice. Developers may assume that the other way round is also OK. Hugh Glaser has brought up the nearby idea of owl:sameAs for http and https, etc. >Well, there is a massive movement for HTTPS everywhere. That is happening now anyway. So websites in general are being pushed to move into https. https://webfoundation.org/2014/08/world-wide-web-foundation-warns-google-https-policy-could-create-unequal-web/ Regards, Michael Brunnbauer -- ++ Michael Brunnbauer ++ netEstate GmbH ++ Geisenhausener Straße 11a ++ 81379 München ++ Tel +49 89 32 19 77 80 ++ Fax +49 89 32 19 77 89 ++ E-Mail brunni@netestate.de ++ http://www.netestate.de/ ++ ++ Sitz: München, HRB Nr.142452 (Handelsregister B München) ++ USt-IdNr. DE221033342 ++ Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer ++ Prokurist: Dipl. Kfm. (Univ.) Markus Hendel
Received on Sunday, 24 August 2014 00:32:55 UTC