Re: New Version Notification for draft-kazuho-httpbis-selftrace-00.txt from Martin Thomson on 2021-08-17 (ietf-http-wg@w3.org from July to September 2021)

From: Martin Thomson <mt@lowentropy.net>
Date: Tue, 17 Aug 2021 14:05:35 +1000
To: "Kazuho Oku" <kazuhooku@gmail.com>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <ab0cb4f2-9ddd-4557-b9a9-a3d0add123e5@www.fastmail.com>

On Tue, Aug 17, 2021, at 13:53, Kazuho Oku wrote:
> For privacy reasons (and probably also for security reasons), the 
> requirement we have is that only the client that created the connection 
> should be capable of fetching the trace.

For something like this, I would start by suggesting a capability URL: https://www.w3.org/TR/capability-urls/ (which is along the lines of what you contemplate; but in case you needed a name to hang this off).

Of course, capability URLs have a ...mixed reputation.  Nothing stopping you from adding tokens or passwords or crypto or something, but each additional protection comes with costs.  I'd want to see that the cost was justified before going for anything more complicated.

Received on Tuesday, 17 August 2021 04:06:10 UTC