- From: Phillip Hallam-Baker <hallam@gmail.com>
- Date: Wed, 25 Jul 2012 14:23:00 -0400
- To: Paul Hoffman <paul.hoffman@gmail.com>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Yes, in a web service context the two are independent. * Header confidentiality is a major concern in many instances, ==> TLS is a requirement * Integrity and encryption need to flow across intermediaries, ==> HTTP security is a requirement TLS is inherently limited to two party conversations (OK you could possibly force it to do multicast). Web Services transactions are frequently of the type, A hands data onto B who looks at it and decides whether to forward it to C or D which may be immediate or after a delay. TLS is just not the right tool to achieve that requirement although it would probably be used on each of the A-B, B-C, C-D links. On Wed, Jul 25, 2012 at 1:48 PM, Paul Hoffman <paul.hoffman@gmail.com> wrote: > On Wed, Jul 25, 2012 at 9:59 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote: >> . . . long discussion differentiating HTTP headers and body . . . > >> From these I draw the following conclusions: >> >> * HTTP 2.0 should draw a distinction between routing headers and >> content meta-data >> * HTTP encryption and authentication are necessary independent of TLS support > > Just to be clear, that last bullet should be "Encryption and > authentication of HTTP bodies are necessary independent of TLS > support", yes? -- Website: http://hallambaker.com/
Received on Wednesday, 25 July 2012 18:23:27 UTC