Re: New Version Notification for draft-thomson-http-encryption-00.txt

On 12/05/15 08:30, Mark Nottingham wrote:
> On the other hand, it would be good if we make sure we don't
> needlessly block reuse. E.g., it would be good if this were aligned
> with something like
> <> (although
> we should be wary of what a minefield header signing has proven to be
> elsewhere). It might make sense to consider taking them on together.

Just a suggestion, and possibly a dumb one at that...

In other contexts, we've seen that people talk about use-cases
for signing and even deploy signing, but verification can lag
significantly behind, which can make the whole effort somewhat

So it might be a useful thing here to only try attempt the
general signed header field thing if there are use-cases that
are compelling where someone really treats the request or
response differently in a well defined way when a signature
that includes a header field is bad or cannot be verified.

By the "general signed header field thing" I mean something
that's like a DKIM-Signature or Dave Crocker's DOSETA proposal
or the Cavage draft above.

Note that DKIM didn't have to pass the test I'm suggesting
here, which was correct in that case. And again, the above
is a possibly dumb idea so please take it with salt:-)


Received on Tuesday, 12 May 2015 12:34:04 UTC