> > 3) HTTP security controls should only secure content. > > Signing headers is not only difficult, it is often counterproductive. > > If a Web service depends on information in a header > > there is probably something wrong. What about the URI? What about the method (GET, POST, DELETE...)? Only protecting the body only works for RPC-style web services in which every request is a POST to a single API endpoint (eg POST /api/ HTTP/1.1). Even then the body needs to have an "audience" field that is likely to repeat the host (or URI). HTTP/2 needs to support REST APIs, where the method and URI are crucial parts. > > From these I draw the following conclusions: > > > > * HTTP 2.0 should draw a distinction between routing headers and > > content meta-data +1 Though I suspect there are lots of headers where this distinction is not crystal clear. > > * HTTP encryption and authentication are necessary independent of TLS > > support -- James MangerReceived on Thursday, 26 July 2012 00:05:29 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 July 2012 00:05:38 GMT