W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: Comments on draft-ietf-httpbis-encryption-encoding-04

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 12 Nov 2016 08:32:44 +0100
To: Martin Thomson <martin.thomson@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <a3f3a4e0-5be3-f619-d2f8-cdda6ce2ed1e@gmx.de>
On 2016-11-12 07:56, Martin Thomson wrote:
> ...
>> S 3.
>> This whole Crypto-Key thing seems like a menace. As has been noted,
>> it's a terrible idea to provide Crypto-Key and encrypted data
>> for the same key in the same HTTP message, but that's the only
>> thing you see to support:
>>
>>    The value or values provided in the Crypto-Key header field is valid
>>    only for the current HTTP message unless additional information
>>    indicates a greater scope.
>>
>> Do we have a concrete use case for Crypto-Key? If not, I would remove
>> it. If so, I would consider writing a different spec.
>
> Maybe we can discuss this in the meeting, I don't have any objection
> to this.  I like deleting code.
> ...

One use case is over here: 
<https://greenbytes.de/tech/webdav/draft-reschke-http-oob-encoding-09.html#n-example-involving-an-encrypted-resource>

If "Cryto-Key" isn't defined in the base spec, any other spec that 
defines how to pass around the key information will have to define it 
itself. That doesn't sound like a good idea to me.

Best regards, Julian
Received on Saturday, 12 November 2016 07:33:20 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 12 November 2016 07:33:23 UTC