Gregory Pietsch <[EMAIL PROTECTED]> writes:
> Second (and this is more complicated), what's the difference between using
> SSL/TLS and Secure HTTP (as defined in RFC 2660)? They are both similar.
> Is there any difference in use?
Actually, they're totally different. Secure HTTP is message level
security, kind of like carrying HTTP messages as S/MIME messages.
SSL is channel level security--it just provides an encrypted
channel over which you can transmit any data--including Secure HTTTP
messages.
> What happens when I send a HTTP message over SSL? Is the resulting
> encryption "Encrypted HTTP" or "Secure HTTP"?
It's encrypted HTTP.
> What happens when I send a Secure HTTP message over SSL? Does the message
> get encrypted twice?
Definitely. SSL is oblivious to the traffic running over it.
However, S-HTTP and SSL both offer authenticated only modes so
you could only encrypt once if you so chose. The reason you
might want to do this is that S-HTTP offers some properties that
SSL doesn't, like message-level nonrepudiation.
That said, no browser implementes Secure HTTP so you're not going
to ever run into this situation. The only security for HTTP that you're
going to see is SSL (also called HTTPS because the URLs begin
with https://). See RFC 2818).
There's also another standard for HTTP over SSL, described in
RFC 2817.
-Ekr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
