W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Eliot Lear <lear@cisco.com>
Date: Tue, 1 Dec 2015 10:50:58 +0100
To: Julian Reschke <julian.reschke@gmx.de>, "Walter H." <Walter.H@mathemainzel.info>, Roland Zink <roland@zinks.de>
Cc: Jim Manico <jim@manicode.com>, ietf-http-wg@w3.org
Message-ID: <565D6D82.6040002@cisco.com>
I realize there's a lot of back and forth on this, and so just to
restate my own position so that it doesn't get lost in the bustle.

The approach standardizes behavior that would ease transmission of
malware to end users without the ability of the server to scan content
by providing a  protocol element automated systems could use that does
not already exist today.

While somewhat analogous to an encrypted zip file, we don't specify
behavior in that case, and unknown zip files themselves are well known
to to pose risks such that automated processing is generally
discouraged.  Certainly

That to me is *not* a show stopper so long as we acknowledge it in the
Security Considerations and discuss mitigations as we do with other new
vectors.  Although I gave as an example a single means to demonstrate
that it is possible to mitigate risks from such a vector, unless there
is a clear approach that requires very little work, I'm not suggesting
that the mitigation or any other be fully specified in this document.

By the way: draft-thomson-http-signature lays a good foundation for any
attestation approach.

Eliot



Received on Tuesday, 1 December 2015 09:51:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC