W3C home > Mailing lists > Public > public-html@w3.org > March 2012

Re: Encrypting content stored on untrusted CDNs

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 2 Mar 2012 15:25:50 -0800
Message-ID: <CAP2znoYrQXHY5r1Sw-JZii4p2Fc=hCspc2WZ2jCZ7t72Q2sGOQ@mail.gmail.com>
To: Kornel Lesiński <kornel@geekhood.net>, Mark Watson <watsonm@netflix.com>
Cc: "public-html@w3.org" <public-html@w3.org>, "Tab Atkins Jr." <jackalmage@gmail.com>
On Tue, Feb 28, 2012 at 10:57 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Wed, 29 Feb 2012, Kornel LesiÅ~Dski wrote:>
> > How about defining a new scheme which includes the key in the URL?
> >
> > Example modeled on "password" part of HTTP URLs:
> >
> >    myVideo.src = 'http+aes://' + escape(mykey) + ':@
> cdn.example.net/video123';
> >
> > Although not so pretty, it would readily work in all places where URLs
> > do, including HTML markup.
>
> I can't see any problem with this off the top of my head. It neatly solves
> the problem for every content type, not just HTML, which is great for
> dealing with the manifest cases Mark mentioned.
>
> Would we want to also support this over https? I suppose it's possible
> that we'd have a situation where we trusted a CDN to know the URL that a
> user was requesting but still wanted to protect the user from his network
> peers knowing what URL he was getting...
>
> Anyone want to write a spec for this?
>

I've now specced this:

http://html5.org/tools/web-apps-tracker?from=7011&to=7012
http://www.whatwg.org/specs/web-apps/current-work/#http+aes-scheme

If anyone would like to edit a spec of this that's independent of the HTML
spec, let me know, I'd be happy to move this to another spec.

-- 
Ian Hickson
Received on Friday, 2 March 2012 23:26:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:46 GMT