Re: Content security model

Yes, in a web service context the two are independent.

* Header confidentiality is a major concern in many instances, ==> TLS
is a requirement
* Integrity and encryption need to flow across intermediaries, ==>
HTTP security is a requirement

TLS is inherently limited to two party conversations (OK you could
possibly force it to do multicast).

Web Services transactions are frequently of the type, A hands data
onto B who looks at it and decides whether to forward it to C or D
which may be immediate or after a delay. TLS is just not the right
tool to achieve that requirement although it would probably be used on
each of the A-B, B-C, C-D links.

On Wed, Jul 25, 2012 at 1:48 PM, Paul Hoffman <> wrote:
> On Wed, Jul 25, 2012 at 9:59 AM, Phillip Hallam-Baker <> wrote:
>> . . . long discussion differentiating HTTP headers and body . . .
>> From these I draw the following conclusions:
>> * HTTP 2.0 should draw a distinction between routing headers and
>> content meta-data
>> * HTTP encryption and authentication are necessary independent of TLS support
> Just to be clear, that last bullet should be "Encryption and
> authentication of HTTP bodies are necessary independent of TLS
> support", yes?


Received on Wednesday, 25 July 2012 18:23:27 UTC