[BXXPwg] re draft-mrose-bxxp-design-00.txt

bxxpwg@invisibleworlds.com bxxpwg@invisibleworlds.com
Thu, 09 Nov 2000 16:41:30 -0800


http://www.ietf.org/internet-drafts/draft-mrose-beep-design-00.txt

> hi. i think you're missing the sentence before. here is the entire text:
> 
>    The key difference between the original mechanism and TLS, is one of
>    provisioning. In the initial approach, a world-wide web server would
>    listen on two ports, one for plaintext traffic and the other for
>    secured traffic; in contrast, a server implementing an application
>    protocol that is TLS-enabled listens on a single port for plaintext
>    traffic; once a connection is established, the use of TLS is
>    negotiated by the peers.
> 
> specifically, the observation that the difference lies in the provisioning
> (one port or two) addresses your comment.

Respectfully, not as it seems to me. I feel it is reasonable to presume that 
it won't be uncommon for readers, who for whatever reason lack sufficient 
context, to (incorrectly) interpret this clause..

  "a server implementing an application protocol that is TLS-enabled listens  
   on a single port for plaintext traffic;"

..as saying that listening on a single port is a property of TLS itself, and 
that any and all protocols built on top of TLS (as opposed to SSL) naturally 
default to using a single port.

In thinking about this some, it seemed to me that there were several minor 
changes needed in that entire subsection (3.6) in order to correct this. Here 
for your consideration is what I came up with:


                        ------------------------
3.6 Privacy

HTTP is the first widely used protocol to make use of a transport security 
protocol [insert reference to SSL] to encrypt the data sent on the connection. 
The current version of the security protocol, TLS[22], is available to all 
application protocols, e.g. SMTP and ACAP[23] (the Application Configuration 
Access Protocol).

The key difference between the original typical use of SSL and the typical 
as-specified use of TLS, is one of provisioning. With the original SSL usage, 
a world-wide web server would listen on two ports by convention, one for 
plaintext traffic and the other for secured traffic; in contrast, a server 
implementing an application protocol that is specified as TLS-enabled (e.g. 
[RFC2487, RFC2595]), conventionally listens on a single port for plaintext 
traffic; once a connection is established, the use of TLS is negotiated by the 
peers.

                                     :
                                     :

[reference to SSL] SSL 3.0 Specification. Netscape, ca. 1996. 
http://www.netscape.com/eng/ssl3/

add refs for [RFC2487, RFC2595]

                        ------------------------

I suggest using the words "typical" and "convention" in the above because they 
(I believe) correctly convey the present level of standardization of using 
TLS. E.g. the closest I can find to an "official" statement that "thou shalt 
use a single port per protocol" is this comprising the second paragraph of 
section 1 of rfc2817..

   At the Washington DC IETF meeting in December 1997, the Applications
   Area Directors and the IESG reaffirmed that the practice of issuing
   parallel "secure" port numbers should be deprecated. The HTTP/1.1
   Upgrade mechanism can apply Transport Layer Security [6] to an open
   HTTP connection.


JeffH