W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: http+aes

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 5 Mar 2012 12:43:31 +0100
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Anne van Kesteren <annevk@opera.com>, Julian Reschke <julian.reschke@gmx.de>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Ian Hickson <ian@hixie.ch>
Message-ID: <20120305114331.GE30594@1wt.eu>
Hi,

On Mon, Mar 05, 2012 at 10:43:14AM +0000, Poul-Henning Kamp wrote:
> In message <20120305104004.GC30594@1wt.eu>, Willy Tarreau writes:
> 
> >Being able to encrypt only the payload would be extremely useful in
> >server-to-server communications in datacenters.
> 
> How usefull is it, when packet sniffing gets you both the key
> and the encrypted data ?
> 
> I could understand it if the userinfo pointed to a PSK, but sending
> the actual AES key as part of the request defeats any attempt at
> privacy I can see ?

I don't know what the intent was there, but my understanding is that
userinfo is a key ID, not the key itself. In enterprise, it's fairly
common to see servers communicate together and indicate to the other
end which key to use (and not the key itself).

Regards,
Willy
Received on Monday, 5 March 2012 11:44:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT