Darren New dnew@san.rr.com
Thu, 28 Jun 2001 10:11:13 -0700

"Roy T. Fielding" wrote:
> That is not sufficient.  The client must know whether or not the
> connection must be secured before it makes the first resource request of
> the server.  In order to know that, the information must be in the URI.

Not really. If the server only advertises TLS in the greeting upon
connection, it's pretty obvious to the client that that must be
negotiated first.

> The mechanism used to establish the secure session might be present
> in the protocol, as it is with HTTP/1.1 Upgrade, but the decision to make
> that upgrade mandatory prior to sending any sensitive information is
> something that the client must make using only the URI as a guide.

No, the server can enforce it.

Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
       San Diego, CA, USA (PST).  Cryptokeys on demand.
     This is top-quality raw fish, the Rolls-Rice of Sushi!