IPP> [Fwd: Re: [Fwd: SEC - Protocol names for security protocols]]

IPP> [Fwd: Re: [Fwd: SEC - Protocol names for security protocols]]

Larry Masinter masinter at parc.xerox.com
Sat Mar 1 14:20:52 EST 1997 

This is a multi-part message in MIME format.


--------------22EB695A3B97
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


I would rather not be middleman in this conversation.



-- 
http://www.parc.xerox.com/masinter


--------------22EB695A3B97
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


Received: from alpha.xerox.com ([13.1.64.93]) by casablanca.parc.xerox.com with SMTP id <71896>; Fri, 28 Feb 1997 12:36:33 PST
Received: from LCS.MIT.EDU ([18.26.0.36]) by alpha.xerox.com with SMTP id <16206(3)>; Fri, 28 Feb 1997 12:36:28 PST
Received: from beach.w3.org by MINTAKA.LCS.MIT.EDU id aa20420;
          28 Feb 97 15:35 EST
Sender: connolly at parc.xerox.com
Message-ID: <331741AB.216A0B2D at w3.org>
Date: Fri, 28 Feb 1997 12:35:55 PST
From: Dan Connolly <connolly at w3.org>
Organization: World Wide Web Consortium
X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.18 i586)
MIME-Version: 1.0
To: Larry Masinter <masinter at parc.xerox.com>
CC: http-wg at cuckoo.hpl.hp.com
Subject: Re: [Fwd: SEC - Protocol names for security protocols]
References: <33173BC7.4522 at parc.xerox.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


Larry Masinter wrote:
> Date: Fri, 28 Feb 1997 11:32:57 PST
> From: Carl-Uno Manros <cmanros at cp10.es.xerox.com>
...


>I believe that if SSL is used in combination with HTTP it
> is currently identified with "SHTTP" in the URL rather than just "HTTP". Is
> this correct?


Nope. SHTTP is the Shiffman et. al. protocol.


HTTP over SSL is https:...


I don't have exact citations, nor do I have time to look
them up.


If anybody else does, I'm interested: I maintain:


	http://www.w3.org/pub/WWW/Addressing/schemes


>Our
> assumption is that once you are in the secure protocol, you can then
> negotiate which security features within that protocol you want to use.


Yes, due to the possibility of man-in-the-middle attacks,
"bootstrapping" security is quite difficult: you can't just
take cleartext declarations of the form "printer X does/does not
support security mechanism Y" and act on them. You have to
have some way of authenticating even that first step.


So you really need a protocol with message integrity before
you can even start negotiating.


You could get security declarations (and key/certificate material)
out of authenticated
body parts (e.g. HTML docs) sent over HTTP using MD5-auth or
some such. Hmmm...


Dan




--------------22EB695A3B97--

More information about the Ipp mailing list