Re: http+aes

Am 05.03.2012 um 11:43 schrieb Poul-Henning Kamp:
> 
> I could understand it if the userinfo pointed to a PSK, but sending
> the actual AES key as part of the request defeats any attempt at
> privacy I can see ?


I assume the intention is to omit the userinfo in the request, as
it is done with the userinfo in the standard http scheme.

It would be interesting to hear more about the intended use scenario.
My gut feeling is that URIs are public by nature and like to be written
down.

Also, would the fragment identifier, given that a new scheme is introduced
anyway, not be a better place to store information for the client?

Cheers,

Stefan

<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782

Received on Monday, 5 March 2012 10:53:28 UTC