W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: http+aes

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 5 Mar 2012 11:40:04 +0100
To: Anne van Kesteren <annevk@opera.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Poul-Henning Kamp <phk@phk.freebsd.dk>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Ian Hickson <ian@hixie.ch>
Message-ID: <20120305104004.GC30594@1wt.eu>
On Mon, Mar 05, 2012 at 11:34:27AM +0100, Anne van Kesteren wrote:
> On Mon, 05 Mar 2012 11:29:01 +0100, Poul-Henning Kamp <phk@phk.freebsd.dk>  
> wrote:
> >In message <4F549392.60802@gmx.de>, Julian Reschke writes:
> >>FYI:
> >>
> >>	http://dev.w3.org/html5/spec/Overview.html#http-aes-scheme
> >
> >So you encrypt the response body with the password clearly visible in the
> >request, to gain privacy ?
> >
> >Please explain what I'm overlooking here...
> 
> I think the intent is that the user agent does the decryption and that  
> therefore the key is not part of the request, but the specification is  
> sort of vague / wrong on that it seems. Ian?

Being able to encrypt only the payload would be extremely useful in
server-to-server communications in datacenters. However it's not clear
to me either how this is supposed to be used, especially in requests
to origin servers that lack the scheme.

Regards,
Willy
Received on Monday, 5 March 2012 10:41:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT