W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: http+aes

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 05 Mar 2012 11:34:27 +0100
To: "Julian Reschke" <julian.reschke@gmx.de>, "Poul-Henning Kamp" <phk@phk.freebsd.dk>
Cc: URI <uri@w3.org>, "HTTP Working Group" <ietf-http-wg@w3.org>, "Ian Hickson" <ian@hixie.ch>
Message-ID: <op.wao0zprr64w2qv@annevk-macbookpro.local>
On Mon, 05 Mar 2012 11:29:01 +0100, Poul-Henning Kamp <phk@phk.freebsd.dk>  
wrote:
> In message <4F549392.60802@gmx.de>, Julian Reschke writes:
>> FYI:
>>
>> 	http://dev.w3.org/html5/spec/Overview.html#http-aes-scheme
>
> So you encrypt the response body with the password clearly visible in the
> request, to gain privacy ?
>
> Please explain what I'm overlooking here...

I think the intent is that the user agent does the decryption and that  
therefore the key is not part of the request, but the specification is  
sort of vague / wrong on that it seems. Ian?


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 5 March 2012 10:34:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT