clarification re. http-signatures: header order from Kostas Koukopoulos on 2014-07-03 (public-webpayments@w3.org from July 2014)

From: Kostas Koukopoulos <kk@longaccess.com>
Date: Thu, 3 Jul 2014 12:45:39 +0300
To: public-webpayments@w3.org
Message-ID: <CAPmybu06SJy+vXRFQajs6e50UgVNgOUT=v80QR2v1ZZSs1G5Lg@mail.gmail.com>

Hello,

I have been reading the updated HTTP-signatures draft, the mailing
list archives, and the group minutes trying to understand better the
construction of the string-to-sign. My understanding so far is that
the first sentence in paragraph 2.3 of the spec is a bit ambiguous. It
reads:

> [...] the client MUST use the values of each HTTP header field specified by `headers` in the order they appear.

Initially I thought this meant "in the order that they appear (in the
transmitted HTTP request)". Possibly I was lead to this interpretation
by the language in the second bullet point of the instructions in that
paragraph, regarding duplicate headers, which is:

> all header field values associated with the header field MUST be concatenated and used in the order in which they will appear in the transmitted HTTP message.

But there is another interpretation of "in the order they appear"
which would be "in the order they appear in the "headers" parameter of
the Signature header. Indeed this seems to be the interpretation used
by the two implementations that I have found (node [1], and python
[2]).

First, It would be helpful if this was clarified in the spec. Second I
would like to point out that it is sometimes difficult for those who
will implement the spec to determine the order of the headers in the
sent request. Client libraries (such as python-requests) do not
provide always provide APIs that can determine the header order, e.g.
they might require that headers are provided in unordered dictionary
objects. So in a sense the second interpretation is more simple for
client developers (as evidenced by the choice made in the node and
python libs).

Thank you,
Konstantinos

1. https://github.com/joyent/node-http-signature/blob/c5c4c3ab9a15b72e54d4c1e3a92625fddaf01a4f/lib/signer.js#L136
2. https://github.com/digitalbazaar/py-http-signature/blob/824de0d8957b4423b1ac986fe47a2d303cdfb434/http_signature/sign.py#L150

--
Konstantinos Koukopoulos
(@ The Long Access Company)
<kk@longaccess.com>
landline: +302117706924 mobile:: +306948630066

Your Data. Safe. For Long.

Received on Thursday, 3 July 2014 13:35:14 UTC