- From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Mon, 31 Oct 2016 20:11:26 +0200 (EET)
- To: Costin Manolache <costin@gmail.com>
- CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Martin Thomson <martin.thomson@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP working group mailing list <ietf-http-wg@w3.org>
Costin Manolache <costin@gmail.com>: (Mon Oct 31 19:50:18 2016)
> I'm not sure I understand - if symmetric keys are used:
> 1. They should not be sent along with the content
> 2. If they are for some reason, it doesn't make a difference if it's in
> header or body
It makes difference with Out-Of-Band
> > https://greenbytes.de/tech/webdav/draft-reschke-http-oob-encoding-08.html#rfc.section.3.5.3
gives:
-------------------------------------------------
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:00 GMT
Content-Encoding: aesgcm, out-of-band
Content-Type: text/plain
Encryption: keyid="a1"; salt="vr0o6Uq3w_KDWeatc27mUg"
Crypto-Key: keyid="a1"; aesgcm="csPJEXBYA5U-Tal9EdJi-w"
Content-Length: 101
Vary: Accept-Encoding
{
"sr": [
{ "r" :
"http://example.net/bae27c36-fa6a-11e4-ae5d-00059a3c7a00"}
]
}
-------------------------------------------------
Note that actual body, which was encrypted, is on
http://example.net/bae27c36-fa6a-11e4-ae5d-00059a3c7a00
That is different server than from where these headers
(and out-of-band -pointer on body) was got.
Story is that combination
Content-Encoding: aesgcm, out-of-band
First encrypt body: aesgcm
Then move body out from response: out-of-band
/ Kari Hurtta
Received on Monday, 31 October 2016 18:12:04 UTC