Re: http+aes from Ian Hickson on 2012-03-05 (uri@w3.org from March 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 5 Mar 2012 15:20:24 -0800
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Yngve Nysaeter Pettersen <yngve@opera.com>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP2znoaOUYqGGu+ib3SfsJkX+BWaa2Ce5tUfgHT-qy+hUBTQwQ@mail.gmail.com>

On Mon, Mar 5, 2012 at 10:09 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:

>
> I'm sorry, but IMO this is just security-theater, and it represents
> so terrible handling of key-material that it is deeply irresponsible
> to even mention it in a standards document, without a lengthy list
> of caveats and disclaimers.
>

Could you elaborate on this? In particular, what risks do you believe exist
here given the scenario this is intended to address and given the list of
issues to consider already given in the specification?

I'm eager to address any problems that exist with this proposal, but I am
failing to reconcile the proposal as I understand it with your assessment
of it above.

-- 
Ian Hickson

Received on Monday, 5 March 2012 23:21:14 UTC