> In message<20120305104004.GC30594@...>, Willy Tarreau writes:
>> Being able to encrypt only the payload would be extremely useful in
>> server-to-server communications in datacenters.
> How usefull is it, when packet sniffing gets you both the key
> and the encrypted data ?
> I could understand it if the userinfo pointed to a PSK, but sending
> the actual AES key as part of the request defeats any attempt at
> privacy I can see ?
I think the confusion comes from embedding local information into the
URI; it seems the userinfo is not supposed to be transmitted on the
wire. (which of course raises the question about why it's in the URI then)