W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Web Keys and HTTP Signatures

From: Carsten Bormann <cabo@tzi.org>
Date: Thu, 18 Apr 2013 17:04:21 +0200
Message-Id: <5A2E2FE8-BBB0-4ADC-8B22-C12B4FD82537@tzi.org>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
> But to belabor the obvious,
> including the header list in the signature doesn't change any reorder
> property. If the header values can be swapped without the list included,
> they can still be reordered with the list included. 

In the design I was criticizing, a sequence of values was signed, but the mapping from the position in the list of values to a specific header field was in an unprotected field.  So Alice could send a Content-MD5 header, and Charlie could not change its value, but change the meaning of the header to a mumble-foo header, and Bob would be none-the-wiser.
(Of course, the use of Content-MD5 in the spec is the next problem.  And so on.
If Stephen looks at this, I'm happy.)

Gre, Carsten
Received on Thursday, 18 April 2013 15:04:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:12 UTC