W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Web Keys and HTTP Signatures

From: David Morris <dwm@xpasc.com>
Date: Thu, 18 Apr 2013 07:32:08 -0700 (PDT)
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <alpine.LRH.2.01.1304180721140.27828@egate.xpasc.com>

On Thu, 18 Apr 2013, Carsten Bormann wrote:

> On Apr 18, 2013, at 02:00, Martin Thomson <martin.thomson@gmail.com> wrote:
> > It seems like a simple fix would be to
> > include the list of headers under the signature as the first item.
> Obviously.
> The reason I didn't give this fix is that this just amounts to handing
> out more rope.
> It seems to me the community may not have the resources to come up with
> a secure spec on their own.
> I'd rather motivate them to spend some quality time with security
> experts than just throw "fixes"  for the immediately obvious problems
> over the wall, somehow hoping nobody will find the deeper ones.

I agree with you on the use of expertise. But to belabor the obvious,
including the header list in the signature doesn't change any reorder
property. If the header values can be swapped without the list included,
they can still be reordered with the list included. 

I've not read the design, but I don't understand how any modern 
signature hash wouldn't require a deterministic order for the header
values in the signature. That would seem to preclude a simple
swapping of values.
Received on Thursday, 18 April 2013 14:32:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC