[BXXPwg] re draft-mrose-bxxp-design-00.txt
Thu, 09 Nov 2000 16:41:30 -0800
> hi. i think you're missing the sentence before. here is the entire text:
> The key difference between the original mechanism and TLS, is one of
> provisioning. In the initial approach, a world-wide web server would
> listen on two ports, one for plaintext traffic and the other for
> secured traffic; in contrast, a server implementing an application
> protocol that is TLS-enabled listens on a single port for plaintext
> traffic; once a connection is established, the use of TLS is
> negotiated by the peers.
> specifically, the observation that the difference lies in the provisioning
> (one port or two) addresses your comment.
Respectfully, not as it seems to me. I feel it is reasonable to presume that
it won't be uncommon for readers, who for whatever reason lack sufficient
context, to (incorrectly) interpret this clause..
"a server implementing an application protocol that is TLS-enabled listens
on a single port for plaintext traffic;"
..as saying that listening on a single port is a property of TLS itself, and
that any and all protocols built on top of TLS (as opposed to SSL) naturally
default to using a single port.
In thinking about this some, it seemed to me that there were several minor
changes needed in that entire subsection (3.6) in order to correct this. Here
for your consideration is what I came up with:
HTTP is the first widely used protocol to make use of a transport security
protocol [insert reference to SSL] to encrypt the data sent on the connection.
The current version of the security protocol, TLS, is available to all
application protocols, e.g. SMTP and ACAP (the Application Configuration
The key difference between the original typical use of SSL and the typical
as-specified use of TLS, is one of provisioning. With the original SSL usage,
a world-wide web server would listen on two ports by convention, one for
plaintext traffic and the other for secured traffic; in contrast, a server
implementing an application protocol that is specified as TLS-enabled (e.g.
[RFC2487, RFC2595]), conventionally listens on a single port for plaintext
traffic; once a connection is established, the use of TLS is negotiated by the
[reference to SSL] SSL 3.0 Specification. Netscape, ca. 1996.
add refs for [RFC2487, RFC2595]
I suggest using the words "typical" and "convention" in the above because they
(I believe) correctly convey the present level of standardization of using
TLS. E.g. the closest I can find to an "official" statement that "thou shalt
use a single port per protocol" is this comprising the second paragraph of
section 1 of rfc2817..
At the Washington DC IETF meeting in December 1997, the Applications
Area Directors and the IESG reaffirmed that the practice of issuing
parallel "secure" port numbers should be deprecated. The HTTP/1.1
Upgrade mechanism can apply Transport Layer Security  to an open