- From: John Mattsson <john.mattsson@ericsson.com>
- Date: Sun, 21 Jun 2015 21:11:56 +0000
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <C30D2ED8-59F7-4C1F-A556-BEDC7899794D@ericsson.com>
Some quick comments: - Several: “contans” -> “contains” - “encrytion” -> “encryption” - “encryted” -> “encrypted” - When the key parameter is used, https high enough security should be mandated for the first request. I suggest something like: “The Encryption-Key Header MUST only be used with https fulfilling at least the requirements in [RFC7540] Section 9.2”. Cheers, John On 21 Jun 2015, at 19:54, Julian Reschke <julian.reschke@gmx.de<mailto:julian.reschke@gmx.de>> wrote: On 2015-06-04 18:16, Julian Reschke wrote: FYI -- see below. This is another proposed building block for a system in which an origin server would delegate parts of the content delivery to a secondary server (usually a cache); it's supposed to work together with Martin's encryption content coding. Pretty HTML over here: <http://greenbytes.de/tech/webdav/draft-reschke-http-oob-encoding-latest.html> Feedback appreciated, Julian One thing I'd like to get people to think about is the way both specs stretch the concept of content codings beyond what has been done before: 1) To undo the content coding defined in draft-thomson-http-encryption-00, the recipient will need encryption related information which is not part of the actual payload; it might be out-of-band, or provided in a response header field. 2) To unwrap the content coding defined in draft-reschke-http-oob-encoding, the client will need to do an additional request to a secondary server. Feedback appreciated, Julian
Received on Sunday, 21 June 2015 21:12:24 UTC