W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: Encryption simplification

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Mon, 31 Oct 2016 20:11:26 +0200 (EET)
Message-Id: <201610311811.u9VIBQJ9023569@shell.siilo.fmi.fi>
To: Costin Manolache <costin@gmail.com>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Martin Thomson <martin.thomson@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP working group mailing list <ietf-http-wg@w3.org>
Costin Manolache <costin@gmail.com>: (Mon Oct 31 19:50:18 2016)
> I'm not sure I understand - if symmetric keys are used:
> 1. They should not be sent along with the content
> 2. If they are for some reason, it doesn't make a difference if it's in
> header or body

It makes difference with Out-Of-Band

> > https://greenbytes.de/tech/webdav/draft-reschke-http-oob-encoding-08.html#rfc.section.3.5.3

gives:

-------------------------------------------------
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:00 GMT
Content-Encoding: aesgcm, out-of-band
Content-Type: text/plain
Encryption: keyid="a1"; salt="vr0o6Uq3w_KDWeatc27mUg"
Crypto-Key: keyid="a1"; aesgcm="csPJEXBYA5U-Tal9EdJi-w"
Content-Length: 101
Vary: Accept-Encoding

{
  "sr": [
    { "r" :
      "http://example.net/bae27c36-fa6a-11e4-ae5d-00059a3c7a00"}
  ]
}
-------------------------------------------------

Note that actual body, which was encrypted, is on
http://example.net/bae27c36-fa6a-11e4-ae5d-00059a3c7a00

That is different server than from where these headers
(and out-of-band -pointer on body) was got.


Story is that combination

    Content-Encoding: aesgcm, out-of-band

First encrypt body: aesgcm
Then move body out from response: out-of-band


/ Kari Hurtta
Received on Monday, 31 October 2016 18:12:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 31 October 2016 18:12:05 UTC