- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 06 Mar 2012 09:25:42 +0100
- To: "Ian Hickson" <ian@hixie.ch>, "Willy Tarreau" <w@1wt.eu>
- Cc: URI <uri@w3.org>, "HTTP Working Group" <ietf-http-wg@w3.org>
On Tue, 06 Mar 2012 07:55:07 +0100, Willy Tarreau <w@1wt.eu> wrote: > So you mean that it's the *real* decryption key which is passed in > userinfo? It appeared obvious to me that it was just an identifier for a > key that the client had fetched somewhere else (eg: on the same site via > https or at least without passing via the CDN). If the real key is > passed in the response, then I fail to get the use case since your CDN > gets the key as well :-/ How? A resource on server S links to a resource on CDN C using http+aes. C's resource is encrypted. C does not know the key. The key is hosted on S's resource as part of the http+aes link. When the user agent fetches C's resource it does not include the key, but decrypts it as data comes in. So C never knows anything about the bits it is hosting, S and the user agent do. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 6 March 2012 08:26:48 UTC