W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: http+aes

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Mon, 5 Mar 2012 11:52:57 +0100
Cc: Willy Tarreau <w@1wt.eu>, Anne van Kesteren <annevk@opera.com>, Julian Reschke <julian.reschke@gmx.de>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Ian Hickson <ian@hixie.ch>
Message-Id: <62DB38DD-A2F7-4B09-B932-2AFA63E484FC@greenbytes.de>
To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>

Am 05.03.2012 um 11:43 schrieb Poul-Henning Kamp:
> 
> I could understand it if the userinfo pointed to a PSK, but sending
> the actual AES key as part of the request defeats any attempt at
> privacy I can see ?


I assume the intention is to omit the userinfo in the request, as
it is done with the userinfo in the standard http scheme.

It would be interesting to hear more about the intended use scenario.
My gut feeling is that URIs are public by nature and like to be written
down.

Also, would the fragment identifier, given that a new scheme is introduced
anyway, not be a better place to store information for the client?

Cheers,

Stefan

<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
Received on Monday, 5 March 2012 10:53:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT