- From: David I. Lehn <dil@lehn.org>
- Date: Wed, 17 Apr 2013 19:13:24 -0400
- To: Carsten Bormann <cabo@tzi.org>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org
On Wed, Apr 17, 2013 at 6:03 PM, Carsten Bormann <cabo@tzi.org> wrote: > On Apr 17, 2013, at 23:32, Manu Sporny <msporny@digitalbazaar.com> wrote: > >> https://github.com/joyent/node-http-signature/blob/master/http_signing.md > > I looked at this for about 5 seconds, but are you telling us the attacker gets to choose what the lines in the signed string are supposed to mean? > I'm not sure I understand your question? The request signature specifies the headers that are signed. The server can reject a request based on a header requirement policy. Our current implementation requires the headers to at least include request-line, host, and date. What specific attack did you have in mind? -dave
Received on Wednesday, 17 April 2013 23:13:51 UTC