Fwd: http+aes URI scheme from Noah Mendelsohn on 2012-03-05 (www-tag@w3.org from March 2012)

From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: Mon, 05 Mar 2012 10:17:41 -0500
To: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <4F54D915.6000000@arcanedomain.com>

I think this will likely be of interest to the TAG. A discussion has sprung 
up on uri@w3,org. Basically, the HTML5 specification is proposing an 
http+aes URI scheme. Quoting selectively from [1]

URI scheme syntax:
    Same as |http|, with the |userinfo| component instead used for
    specifying the decryption key. (This key is provided in the form of 16,
    24, or 32 bytes encoded as ASCII and escaped as necessary using the URL
    escape mechanism; it is not in the "username:password" form, and the
    ":" character is not special in this component when using this scheme.)
URI scheme semantics:
    Same as |http|, except that the message body must be decrypted by
    applying the AES-CTR algorithm using the key specified in the URL's
    |userinfo| component, after unescaping it from the URL syntax to bytes.
    If there is no such component, or if that component, when unescaped
    from the URL syntax to bytes, does not consist of exactly 16, 24, or 32
    bytes, then the user agent must act as if the resource could not be
    obtained due to a network error, and may report the problem to the user.

[...]

Security considerations:

    URLs using this scheme contain sensitive information (the key used to
    decrypt the referenced content) and as such should be handled with
    care, e.g. only sent over TLS-encrypted connections, and only sent to
    users who are authorized to access the encrypted content.

    User agents are encouraged to not show the key in user interface
    elements where the URL is displayed: first, it's ugly and not useful to
    the user; and second, it could be used to obscure the domain name.


Noah

[1] http://dev.w3.org/html5/spec/Overview.html#http-aes-scheme
-------- Original Message --------
Subject: 	http+aes
Resent-Date: 	Mon, 05 Mar 2012 10:21:40 +0000
Resent-From: 	uri@w3.org
Date: 	Mon, 05 Mar 2012 11:21:06 +0100
From: 	Julian Reschke <julian.reschke@gmx.de>
To: 	URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>



FYI:

	http://dev.w3.org/html5/spec/Overview.html#http-aes-scheme

Received on Monday, 5 March 2012 15:18:04 UTC