W3C home > Mailing lists > Public > uri@w3.org > March 2012

Re: http+aes

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 5 Mar 2012 15:20:24 -0800
Message-ID: <CAP2znoaOUYqGGu+ib3SfsJkX+BWaa2Ce5tUfgHT-qy+hUBTQwQ@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Yngve Nysaeter Pettersen <yngve@opera.com>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Mar 5, 2012 at 10:09 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:

> I'm sorry, but IMO this is just security-theater, and it represents
> so terrible handling of key-material that it is deeply irresponsible
> to even mention it in a standards document, without a lengthy list
> of caveats and disclaimers.

Could you elaborate on this? In particular, what risks do you believe exist
here given the scenario this is intended to address and given the list of
issues to consider already given in the specification?

I'm eager to address any problems that exist with this proposal, but I am
failing to reconcile the proposal as I understand it with your assessment
of it above.

Ian Hickson
Received on Monday, 5 March 2012 23:21:14 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 10 October 2021 22:17:55 UTC