W3C home > Mailing lists > Public > uri@w3.org > March 2012

Re: http+aes

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 06 Mar 2012 09:25:42 +0100
To: "Ian Hickson" <ian@hixie.ch>, "Willy Tarreau" <w@1wt.eu>
Cc: URI <uri@w3.org>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-ID: <op.waqpo4el64w2qv@annevk-macbookpro.local>
On Tue, 06 Mar 2012 07:55:07 +0100, Willy Tarreau <w@1wt.eu> wrote:
> So you mean that it's the *real* decryption key which is passed in  
> userinfo? It appeared obvious to me that it was just an identifier for a  
> key that the client had fetched somewhere else (eg: on the same site via  
> https or at least without passing via the CDN). If the real key is  
> passed in the response, then I fail to get the use case since your CDN  
> gets the key as well :-/

How? A resource on server S links to a resource on CDN C using http+aes.  
C's resource is encrypted. C does not know the key. The key is hosted on  
S's resource as part of the http+aes link. When the user agent fetches C's  
resource it does not include the key, but decrypts it as data comes in. So  
C never knows anything about the bits it is hosting, S and the user agent  
do.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 6 March 2012 08:26:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 6 March 2012 08:26:48 GMT