Re: Use case - John and Jane from Eric Rescorla on 2013-03-23 (public-webcrypto-comments@w3.org from March 2013)

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 22 Mar 2013 17:33:43 -0700
To: Ryan Sleevi <sleevi@google.com>
Cc: Aymeric Vitte <vitteaymeric@gmail.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CABcZeBO3PM6odyeFzA8J6GnzAs+x-sz4drVa38hRQ6PPAeA0yQ@mail.gmail.com>

On Fri, Mar 22, 2013 at 4:57 PM, Ryan Sleevi <sleevi@google.com> wrote:
>
>  Scheme is either HTTP or HTTPS. An origin accessed over HTTP is *not*
> the same as an origin accessed via HTTPS - because they are different
> schemes.
>

Ryan,

I generally agree with your argument here, but I wanted to observe
out that there has been some discussion of mechanisms for
authenticating JS delivered over HTTP (e.g., script-hash).

I don't think this changes your basic point though.

-Ekr

Received on Saturday, 23 March 2013 00:34:55 UTC