W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: http+aes

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Wed, 07 Mar 2012 02:49:15 +0100
Message-ID: <1331084955.24570.17.camel@home.hno.se>
To: Ian Hickson <ian@hixie.ch>
Cc: Willy Tarreau <w@1wt.eu>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>
mån 2012-03-05 klockan 23:29 +0000 skrev Ian Hickson:

> >     Content-Encoding: aes-ctr-128; keyid=0x34751806
> >     Cache-control: no-transform
> 
> This would require changes at the intermediaries.

Depends on the CDN model. Any CDN seeded by fetching content over HTTP
from some master server should do fine.

Content-Encoding is a property of the object injected into the CDN.

> It would also require a 
> mechanism to link keys to IDs, which is non-trivial given the same-origin 
> policy, multiple browsing contexts, subresources, etc.

why do same-origin pose a problem?

You mean because the plugin can not fetch http://some.other.domain/key?

Just provide the key information in whatever references the encrypted
URL. Hinting a keyid in the encrypted resource response is not really
needed, it's sufficient to say that it's encrypted.

Regards
Henrik
Received on Wednesday, 7 March 2012 01:50:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT