- From: Story H.J. <H.J.Story@soton.ac.uk>
- Date: Wed, 28 Jun 2017 05:00:08 +0000
- To: Martynas Jusevičius <martynas@atomgraph.com>
- CC: public-webid <public-webid@w3.org>, "draft-cavage-http-signatures@ietf.org" <draft-cavage-http-signatures@ietf.org>
On 28 Jun 2017, at 00:33, Martynas Jusevičius <martynas@atomgraph.com<mailto:martynas@atomgraph.com>> wrote: Hi, I think there is another case where failure scenario is not defined in protocol: verifying the WebID. What happens if the certificate key does not match the WebID key? None of the verification steps or sections seem to consider that. I suggest again that a 400 Bad Request should be returned. I think it is important for the protocol to handle failures if we want robust implementations. Is this group active enough to fix such issues? Oops. I don't see that the HTTP Signature document mentions this either. https://datatracker.ietf.org/doc/draft-cavage-http-signatures/ My guess is that whatever the answer for WebID-TLS is it would be the same for HTTP-Signature too. And my guess is that they will tell us to look at the HTTP 2.0 spec for the correct response codes. Still it would be good to see if we are in agreement here about this. I am not sure if there is a mailing list for http-signatures. I can't find one referenced from the IETF Doc. Henry Martynas
Received on Wednesday, 28 June 2017 14:48:36 UTC