W3C home > Mailing lists > Public > uri@w3.org > March 2012

Re: http+aes

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 05 Mar 2012 11:51:03 +0100
Message-ID: <4F549A97.8060101@gmx.de>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
CC: Willy Tarreau <w@1wt.eu>, Anne van Kesteren <annevk@opera.com>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Ian Hickson <ian@hixie.ch>
On 2012-03-05 11:43, Poul-Henning Kamp wrote:
> In message<20120305104004.GC30594@1wt.eu>, Willy Tarreau writes:
>
>> Being able to encrypt only the payload would be extremely useful in
>> server-to-server communications in datacenters.
>
> How usefull is it, when packet sniffing gets you both the key
> and the encrypted data ?
>
> I could understand it if the userinfo pointed to a PSK, but sending
> the actual AES key as part of the request defeats any attempt at
> privacy I can see ?

I think the confusion comes from embedding local information into the 
URI; it seems the userinfo is not supposed to be transmitted on the 
wire. (which of course raises the question about why it's in the URI then)

Best regards, Julian
Received on Monday, 5 March 2012 10:51:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 March 2012 10:51:37 GMT