Re: http+aes

On 2012-03-05 11:52, Stefan Eissing wrote:
>
> Am 05.03.2012 um 11:43 schrieb Poul-Henning Kamp:
>>
>> I could understand it if the userinfo pointed to a PSK, but sending
>> the actual AES key as part of the request defeats any attempt at
>> privacy I can see ?
>
>
> I assume the intention is to omit the userinfo in the request, as
> it is done with the userinfo in the standard http scheme.
>
> It would be interesting to hear more about the intended use scenario.
> My gut feeling is that URIs are public by nature and like to be written
> down.
>
> Also, would the fragment identifier, given that a new scheme is introduced
> anyway, not be a better place to store information for the client?
> ...

-1; fragment identifier semantics depends on media type, not protocol...

But yes, it's not entirely clear why this needs to be in the URI.

Received on Monday, 5 March 2012 11:03:01 UTC