At the moment, there is a draft that allows in-band signaling for TLS using
the HTTP Upgrade: header.
Basically, you connect without security then "Upgrade:" your way to
whatever you want.
Either method (SASL or the Upgrade: header) would probably work, I'm still
studying Rohit's "Upgrade:" draft...
Carl Kugler wrote:
> > Chances are that IESG won't allow a standards track RFC to incorporate
> > the SSL3 protocol. It will have to reference the TLS protocol.
> > Fortuantely, the TLS spec is essentally finished - the TLS WG has
> > finished its internal Last Call and would appear to be ready to send
> > the spec back to IESG. So I don't expect that referencing the TLS
> > spec would delay adoption of IPP as a standard.
> > Also, while it's technically feasible to always use TLS framing with
> > IPP, it seems like it would be far better to define a SASL negotiation
> > framework for HTTP, which could then negotiate TLS. SASL is already a
> > Proposed Standard RFC, and is being retro-fitted into a number of
> > existing apps protocols.
> Has a SASL negotiation framework for HTTP been defined yet?
> > Keith
> See the original message at http://www.egroups.com/list/ipp/?start=2406