- From: Walter H. <Walter.H@mathemainzel.info>
- Date: Sun, 29 Nov 2015 11:20:57 +0100
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
Received on Sunday, 29 November 2015 10:21:25 UTC
On 28.11.2015 03:43, Martin Thomson wrote: > On 26 November 2015 at 20:48, Walter H.<Walter.H@mathemainzel.info> wrote: >> can someone tell me REAL USEFUL use case where someone would need >> this way of having something encrypted on a webserver? > > The two use cases where this is likely to appear in the short term are: > > 1. web push - where an encrypted resource is created on a server by > one entity and retrieved by another. The server doesn't get to see > the contents. I'd say this is the wrong answer, this can be done alternativly as used to do (pushing an encrypted .rar or .zip is exactly this use case with advantage, there is no implicit malware impact ...) for security reason exactly this way you mentioned must be forbidden; there mustn't be a way pushing malware to a server, which the server itself has no possibility to clean it ... > 2. blind caching - the same as in web push actually. An origin server > uses an untrusted cache and wants to encrypt data so that the cache > can't modify or view the content. as I think this is a security hole, too. now where is a REAL USEFUL use case?
Received on Sunday, 29 November 2015 10:21:25 UTC