W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Web Keys and HTTP Signatures

From: Carsten Bormann <cabo@tzi.org>
Date: Thu, 18 Apr 2013 10:11:18 +0200
Cc: "David I. Lehn" <dil@lehn.org>, Manu Sporny <msporny@digitalbazaar.com>, Web Payments CG <public-webpayments@w3.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <60BA815F-52F5-449C-BD18-AE746DAFA991@tzi.org>
To: Martin Thomson <martin.thomson@gmail.com>
On Apr 18, 2013, at 02:00, Martin Thomson <martin.thomson@gmail.com> wrote:

> It seems like a simple fix would be to
> include the list of headers under the signature as the first item.


The reason I didn't give this fix is that this just amounts to handing out more rope.

It seems to me the community may not have the resources to come up with a secure spec on their own.
I'd rather motivate them to spend some quality time with security experts than just throw "fixes"  for the immediately obvious problems over the wall, somehow hoping nobody will find the deeper ones.

Gre, Carsten
Received on Thursday, 18 April 2013 08:11:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC