- From: Manger, James H <James.H.Manger@team.telstra.com>
- Date: Thu, 26 Jul 2012 10:04:55 +1000
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> > 3) HTTP security controls should only secure content. > > Signing headers is not only difficult, it is often counterproductive. > > If a Web service depends on information in a header > > there is probably something wrong. What about the URI? What about the method (GET, POST, DELETE...)? Only protecting the body only works for RPC-style web services in which every request is a POST to a single API endpoint (eg POST /api/ HTTP/1.1). Even then the body needs to have an "audience" field that is likely to repeat the host (or URI). HTTP/2 needs to support REST APIs, where the method and URI are crucial parts. > > From these I draw the following conclusions: > > > > * HTTP 2.0 should draw a distinction between routing headers and > > content meta-data +1 Though I suspect there are lots of headers where this distinction is not crystal clear. > > * HTTP encryption and authentication are necessary independent of TLS > > support -- James Manger
Received on Thursday, 26 July 2012 00:05:29 UTC