W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: http+aes

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 05 Mar 2012 12:02:19 +0100
Message-ID: <4F549D3B.6040504@gmx.de>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
CC: Poul-Henning Kamp <phk@phk.freebsd.dk>, Willy Tarreau <w@1wt.eu>, Anne van Kesteren <annevk@opera.com>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Ian Hickson <ian@hixie.ch>
On 2012-03-05 11:52, Stefan Eissing wrote:
>
> Am 05.03.2012 um 11:43 schrieb Poul-Henning Kamp:
>>
>> I could understand it if the userinfo pointed to a PSK, but sending
>> the actual AES key as part of the request defeats any attempt at
>> privacy I can see ?
>
>
> I assume the intention is to omit the userinfo in the request, as
> it is done with the userinfo in the standard http scheme.
>
> It would be interesting to hear more about the intended use scenario.
> My gut feeling is that URIs are public by nature and like to be written
> down.
>
> Also, would the fragment identifier, given that a new scheme is introduced
> anyway, not be a better place to store information for the client?
> ...

-1; fragment identifier semantics depends on media type, not protocol...

But yes, it's not entirely clear why this needs to be in the URI.
Received on Monday, 5 March 2012 11:02:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT