W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Web Keys and HTTP Signatures

From: David I. Lehn <dil@lehn.org>
Date: Wed, 17 Apr 2013 19:13:24 -0400
Message-ID: <CADcbRRN2XWa9QwuaXAoxjMdkcguvQiiGq934RXU=-1ntzGpWNQ@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org
On Wed, Apr 17, 2013 at 6:03 PM, Carsten Bormann <cabo@tzi.org> wrote:
> On Apr 17, 2013, at 23:32, Manu Sporny <msporny@digitalbazaar.com> wrote:
>
>> https://github.com/joyent/node-http-signature/blob/master/http_signing.md
>
> I looked at this for about 5 seconds, but are you telling us the attacker gets to choose what the lines in the signed string are supposed to mean?
>

I'm not sure I understand your question? The request signature
specifies the headers that are signed. The server can reject a request
based on a header requirement policy. Our current implementation
requires the headers to at least include request-line, host, and date.
What specific attack did you have in mind?

-dave
Received on Wednesday, 17 April 2013 23:13:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC