I realize there's a lot of back and forth on this, and so just to restate my own position so that it doesn't get lost in the bustle. The approach standardizes behavior that would ease transmission of malware to end users without the ability of the server to scan content by providing a protocol element automated systems could use that does not already exist today. While somewhat analogous to an encrypted zip file, we don't specify behavior in that case, and unknown zip files themselves are well known to to pose risks such that automated processing is generally discouraged. Certainly That to me is *not* a show stopper so long as we acknowledge it in the Security Considerations and discuss mitigations as we do with other new vectors. Although I gave as an example a single means to demonstrate that it is possible to mitigate risks from such a vector, unless there is a clear approach that requires very little work, I'm not suggesting that the mitigation or any other be fully specified in this document. By the way: draft-thomson-http-signature lays a good foundation for any attestation approach. Eliot
Received on Tuesday, 1 December 2015 09:51:34 UTC