- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 12 May 2015 13:33:30 +0100
- To: Mark Nottingham <mnot@mnot.net>, Willy Tarreau <w@1wt.eu>
- CC: Martin Thomson <martin.thomson@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On 12/05/15 08:30, Mark Nottingham wrote: > On the other hand, it would be good if we make sure we don't > needlessly block reuse. E.g., it would be good if this were aligned > with something like > <https://tools.ietf.org/html/draft-cavage-http-signatures> (although > we should be wary of what a minefield header signing has proven to be > elsewhere). It might make sense to consider taking them on together. Just a suggestion, and possibly a dumb one at that... In other contexts, we've seen that people talk about use-cases for signing and even deploy signing, but verification can lag significantly behind, which can make the whole effort somewhat pointless. So it might be a useful thing here to only try attempt the general signed header field thing if there are use-cases that are compelling where someone really treats the request or response differently in a well defined way when a signature that includes a header field is bad or cannot be verified. By the "general signed header field thing" I mean something that's like a DKIM-Signature or Dave Crocker's DOSETA proposal or the Cavage draft above. Note that DKIM didn't have to pass the test I'm suggesting here, which was correct in that case. And again, the above is a possibly dumb idea so please take it with salt:-) Cheers, S.
Received on Tuesday, 12 May 2015 12:34:04 UTC