- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 5 Mar 2012 11:40:04 +0100
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Poul-Henning Kamp <phk@phk.freebsd.dk>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Ian Hickson <ian@hixie.ch>
On Mon, Mar 05, 2012 at 11:34:27AM +0100, Anne van Kesteren wrote: > On Mon, 05 Mar 2012 11:29:01 +0100, Poul-Henning Kamp <phk@phk.freebsd.dk> > wrote: > >In message <4F549392.60802@gmx.de>, Julian Reschke writes: > >>FYI: > >> > >> http://dev.w3.org/html5/spec/Overview.html#http-aes-scheme > > > >So you encrypt the response body with the password clearly visible in the > >request, to gain privacy ? > > > >Please explain what I'm overlooking here... > > I think the intent is that the user agent does the decryption and that > therefore the key is not part of the request, but the specification is > sort of vague / wrong on that it seems. Ian? Being able to encrypt only the payload would be extremely useful in server-to-server communications in datacenters. However it's not clear to me either how this is supposed to be used, especially in requests to origin servers that lack the scheme. Regards, Willy
Received on Monday, 5 March 2012 10:41:21 UTC