- From: Noah Mendelsohn <nrm@arcanedomain.com>
- Date: Mon, 05 Mar 2012 10:17:41 -0500
- To: "www-tag@w3.org" <www-tag@w3.org>
- Message-ID: <4F54D915.6000000@arcanedomain.com>
I think this will likely be of interest to the TAG. A discussion has sprung up on uri@w3,org. Basically, the HTML5 specification is proposing an http+aes URI scheme. Quoting selectively from [1] URI scheme syntax: Same as |http|, with the |userinfo| component instead used for specifying the decryption key. (This key is provided in the form of 16, 24, or 32 bytes encoded as ASCII and escaped as necessary using the URL escape mechanism; it is not in the "username:password" form, and the ":" character is not special in this component when using this scheme.) URI scheme semantics: Same as |http|, except that the message body must be decrypted by applying the AES-CTR algorithm using the key specified in the URL's |userinfo| component, after unescaping it from the URL syntax to bytes. If there is no such component, or if that component, when unescaped from the URL syntax to bytes, does not consist of exactly 16, 24, or 32 bytes, then the user agent must act as if the resource could not be obtained due to a network error, and may report the problem to the user. [...] Security considerations: URLs using this scheme contain sensitive information (the key used to decrypt the referenced content) and as such should be handled with care, e.g. only sent over TLS-encrypted connections, and only sent to users who are authorized to access the encrypted content. User agents are encouraged to not show the key in user interface elements where the URL is displayed: first, it's ugly and not useful to the user; and second, it could be used to obscure the domain name. Noah [1] http://dev.w3.org/html5/spec/Overview.html#http-aes-scheme -------- Original Message -------- Subject: http+aes Resent-Date: Mon, 05 Mar 2012 10:21:40 +0000 Resent-From: uri@w3.org Date: Mon, 05 Mar 2012 11:21:06 +0100 From: Julian Reschke <julian.reschke@gmx.de> To: URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org> FYI: http://dev.w3.org/html5/spec/Overview.html#http-aes-scheme
Received on Monday, 5 March 2012 15:18:04 UTC