Re: Web Keys and HTTP Signatures

On Wed, Apr 17, 2013 at 6:03 PM, Carsten Bormann <cabo@tzi.org> wrote:
> On Apr 17, 2013, at 23:32, Manu Sporny <msporny@digitalbazaar.com> wrote:
>
>> https://github.com/joyent/node-http-signature/blob/master/http_signing.md
>
> I looked at this for about 5 seconds, but are you telling us the attacker gets to choose what the lines in the signed string are supposed to mean?
>

I'm not sure I understand your question? The request signature
specifies the headers that are signed. The server can reject a request
based on a header requirement policy. Our current implementation
requires the headers to at least include request-line, host, and date.
What specific attack did you have in mind?

-dave

Received on Wednesday, 17 April 2013 23:13:51 UTC