James Aylett james-ietf@tartarus.org
Thu, 28 Jun 2001 18:18:21 +0100

On Thu, Jun 28, 2001 at 10:11:13AM -0700, Darren New wrote:

> > That is not sufficient.  The client must know whether or not the
> > connection must be secured before it makes the first resource request of
> > the server.  In order to know that, the information must be in the URI.
> Not really. If the server only advertises TLS in the greeting upon
> connection, it's pretty obvious to the client that that must be
> negotiated first.

That's not the issue, is it? If there's a service which can either be
secured using TLS or not, and some application somewhere wishes to
explicitly link to the _secured_ version, then you need that in the
The counter argument to this is that in such a situation, the service
should really be secured _always_, but I don't think this holds
water. I'm sure there are ample situations where a sensible subset of
operations could be safely performed over an unsecured connection
(perhaps a search engine where a secured connection gives access to
more sensitive data?) for this to be a real issue.


  James Aylett                                           www.zap.uk.eu.org
  james@tartarus.org                                    www.footlights.org