W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: Comments on draft-ietf-httpbis-encryption-encoding-04

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 11 Nov 2016 23:42:19 -0800
Message-ID: <CABcZeBOQg5Yzxi_A=LMbgvqjX8qn_goeTcOHgYSfs87DLKAZ7A@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Nov 11, 2016 at 11:32 PM, Julian Reschke <julian.reschke@gmx.de>
wrote:

> On 2016-11-12 07:56, Martin Thomson wrote:
>
>> ...
>>
>>> S 3.
>>> This whole Crypto-Key thing seems like a menace. As has been noted,
>>> it's a terrible idea to provide Crypto-Key and encrypted data
>>> for the same key in the same HTTP message, but that's the only
>>> thing you see to support:
>>>
>>>    The value or values provided in the Crypto-Key header field is valid
>>>    only for the current HTTP message unless additional information
>>>    indicates a greater scope.
>>>
>>> Do we have a concrete use case for Crypto-Key? If not, I would remove
>>> it. If so, I would consider writing a different spec.
>>>
>>
>> Maybe we can discuss this in the meeting, I don't have any objection
>> to this.  I like deleting code.
>> ...
>>
>
> One use case is over here: <https://greenbytes.de/tech/we
> bdav/draft-reschke-http-oob-encoding-09.html#n-example-invol
> ving-an-encrypted-resource>
>
> If "Cryto-Key" isn't defined in the base spec, any other spec that defines
> how to pass around the key information will have to define it itself. That
> doesn't sound like a good idea to me.
>

But what's defined in the spec is only useful for the existing message. It
seems to me like this should be in a different spec...

-Ekr


>
> Best regards, Julian
>
Received on Saturday, 12 November 2016 07:43:32 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 12 November 2016 07:43:34 UTC