Re: Call for Adoption: Encrypted Content Encoding

Hi Cory,

On 12/4/15 11:53 AM, Cory Benfield wrote:
> (Replying to Poul-Henning, but this is a question for Mike and Grahame as well):
>
> Earlier in this thread I raised a concern I have about the way this draft accesses keys. In particular, it does not appear to specify any requirement that keys be tied to specific origins or in some way limited in scope: a conforming implementation would be able to have a single global registry of keys that can be used to decrypt content coming from anywhere.
>
> I believe this represents a security risk and should either be addressed in Section 6, or this draft should be accompanied by another that specifies key management in this case.

I'm not particularly certain of your specific concern, but I would
suggest that at least some non-normative mention of key management would
be a helpful addition.

Eliot

Received on Friday, 4 December 2015 13:01:31 UTC