- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 12 May 2015 10:23:12 -0700
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On 12 May 2015 at 06:48, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > It's very simple: You have an envelope everybody can see (the headers) > and you have the content (the body). > > Anything you want to keep secret goes in the body. Yes. This is the design we propose. If headers need protection, they can go inside the encrypted body using application/http content type. That probably needs to be accompanied by rules regarding composition of headers for presentation after decryption. Julian suggested offline that the representation header fields [1] are easy: the encrypted form takes precedence. It might be that the other header fields are just writing on the envelope that can be discarded. [1] https://tools.ietf.org/html/rfc7231#section-3.1
Received on Tuesday, 12 May 2015 17:23:39 UTC