W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Content security model

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Wed, 25 Jul 2012 14:23:00 -0400
Message-ID: <CAMm+LwhSVVJjmBA7hj9mZK1cJ02V6twKxi+guS+bNGghd7cRvA@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@gmail.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Yes, in a web service context the two are independent.

* Header confidentiality is a major concern in many instances, ==> TLS
is a requirement
* Integrity and encryption need to flow across intermediaries, ==>
HTTP security is a requirement

TLS is inherently limited to two party conversations (OK you could
possibly force it to do multicast).

Web Services transactions are frequently of the type, A hands data
onto B who looks at it and decides whether to forward it to C or D
which may be immediate or after a delay. TLS is just not the right
tool to achieve that requirement although it would probably be used on
each of the A-B, B-C, C-D links.

On Wed, Jul 25, 2012 at 1:48 PM, Paul Hoffman <paul.hoffman@gmail.com> wrote:
> On Wed, Jul 25, 2012 at 9:59 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>> . . . long discussion differentiating HTTP headers and body . . .
>> From these I draw the following conclusions:
>> * HTTP 2.0 should draw a distinction between routing headers and
>> content meta-data
>> * HTTP encryption and authentication are necessary independent of TLS support
> Just to be clear, that last bullet should be "Encryption and
> authentication of HTTP bodies are necessary independent of TLS
> support", yes?

Website: http://hallambaker.com/
Received on Wednesday, 25 July 2012 18:23:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:03 UTC