- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 12 Nov 2016 08:32:44 +0100
- To: Martin Thomson <martin.thomson@gmail.com>, Eric Rescorla <ekr@rtfm.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 2016-11-12 07:56, Martin Thomson wrote: > ... >> S 3. >> This whole Crypto-Key thing seems like a menace. As has been noted, >> it's a terrible idea to provide Crypto-Key and encrypted data >> for the same key in the same HTTP message, but that's the only >> thing you see to support: >> >> The value or values provided in the Crypto-Key header field is valid >> only for the current HTTP message unless additional information >> indicates a greater scope. >> >> Do we have a concrete use case for Crypto-Key? If not, I would remove >> it. If so, I would consider writing a different spec. > > Maybe we can discuss this in the meeting, I don't have any objection > to this. I like deleting code. > ... One use case is over here: <https://greenbytes.de/tech/webdav/draft-reschke-http-oob-encoding-09.html#n-example-involving-an-encrypted-resource> If "Cryto-Key" isn't defined in the base spec, any other spec that defines how to pass around the key information will have to define it itself. That doesn't sound like a good idea to me. Best regards, Julian
Received on Saturday, 12 November 2016 07:33:20 UTC