On Fri, Nov 11, 2016 at 11:32 PM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 2016-11-12 07:56, Martin Thomson wrote: > >> ... >> >>> S 3. >>> This whole Crypto-Key thing seems like a menace. As has been noted, >>> it's a terrible idea to provide Crypto-Key and encrypted data >>> for the same key in the same HTTP message, but that's the only >>> thing you see to support: >>> >>> The value or values provided in the Crypto-Key header field is valid >>> only for the current HTTP message unless additional information >>> indicates a greater scope. >>> >>> Do we have a concrete use case for Crypto-Key? If not, I would remove >>> it. If so, I would consider writing a different spec. >>> >> >> Maybe we can discuss this in the meeting, I don't have any objection >> to this. I like deleting code. >> ... >> > > One use case is over here: <https://greenbytes.de/tech/we > bdav/draft-reschke-http-oob-encoding-09.html#n-example-invol > ving-an-encrypted-resource> > > If "Cryto-Key" isn't defined in the base spec, any other spec that defines > how to pass around the key information will have to define it itself. That > doesn't sound like a good idea to me. > But what's defined in the spec is only useful for the existing message. It seems to me like this should be in a different spec... -Ekr > > Best regards, Julian >
Received on Saturday, 12 November 2016 07:43:32 UTC