Re: http+aes

On Mon, Mar 05, 2012 at 11:34:27AM +0100, Anne van Kesteren wrote:
> On Mon, 05 Mar 2012 11:29:01 +0100, Poul-Henning Kamp <phk@phk.freebsd.dk>  
> wrote:
> >In message <4F549392.60802@gmx.de>, Julian Reschke writes:
> >>FYI:
> >>
> >>	http://dev.w3.org/html5/spec/Overview.html#http-aes-scheme
> >
> >So you encrypt the response body with the password clearly visible in the
> >request, to gain privacy ?
> >
> >Please explain what I'm overlooking here...
> 
> I think the intent is that the user agent does the decryption and that  
> therefore the key is not part of the request, but the specification is  
> sort of vague / wrong on that it seems. Ian?

Being able to encrypt only the payload would be extremely useful in
server-to-server communications in datacenters. However it's not clear
to me either how this is supposed to be used, especially in requests
to origin servers that lack the scheme.

Regards,
Willy

Received on Monday, 5 March 2012 10:41:21 UTC