On Fri, Nov 11, 2016 at 11:32 PM, Julian Reschke <julian.reschke@gmx.de>
wrote:
> On 2016-11-12 07:56, Martin Thomson wrote:
>
>> ...
>>
>>> S 3.
>>> This whole Crypto-Key thing seems like a menace. As has been noted,
>>> it's a terrible idea to provide Crypto-Key and encrypted data
>>> for the same key in the same HTTP message, but that's the only
>>> thing you see to support:
>>>
>>> The value or values provided in the Crypto-Key header field is valid
>>> only for the current HTTP message unless additional information
>>> indicates a greater scope.
>>>
>>> Do we have a concrete use case for Crypto-Key? If not, I would remove
>>> it. If so, I would consider writing a different spec.
>>>
>>
>> Maybe we can discuss this in the meeting, I don't have any objection
>> to this. I like deleting code.
>> ...
>>
>
> One use case is over here: <https://greenbytes.de/tech/we
> bdav/draft-reschke-http-oob-encoding-09.html#n-example-invol
> ving-an-encrypted-resource>
>
> If "Cryto-Key" isn't defined in the base spec, any other spec that defines
> how to pass around the key information will have to define it itself. That
> doesn't sound like a good idea to me.
>
But what's defined in the spec is only useful for the existing message. It
seems to me like this should be in a different spec...
-Ekr
>
> Best regards, Julian
>