W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Walter H. <Walter.H@mathemainzel.info>
Date: Sun, 29 Nov 2015 11:20:57 +0100
Message-ID: <565AD189.3070502@mathemainzel.info>
To: Martin Thomson <martin.thomson@gmail.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 28.11.2015 03:43, Martin Thomson wrote:
> On 26 November 2015 at 20:48, Walter H.<Walter.H@mathemainzel.info>  wrote:
>> can someone tell me REAL USEFUL use case where someone would need
>> this way of having something encrypted on a webserver?
>
> The two use cases where this is likely to appear in the short term are:
>
> 1. web push - where an encrypted resource is created on a server by
> one entity and retrieved by another.  The server doesn't get to see
> the contents.
I'd say this is the wrong answer, this can be done alternativly as used 
to do
(pushing an encrypted .rar or .zip is exactly this use case with advantage,
there is no implicit malware impact ...)

for security reason exactly this way you mentioned must be forbidden;
there mustn't be a way pushing malware to a server,
which the server itself has no possibility to clean it ...

> 2. blind caching - the same as in web push actually.  An origin server
> uses an untrusted cache and wants to encrypt data so that the cache
> can't modify or view the content.
as I think this is a security hole, too.

now where is a REAL USEFUL use case?




Received on Sunday, 29 November 2015 10:21:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC