- From: Phil Hunt (IDM) <phil.hunt@oracle.com>
- Date: Sat, 9 Jul 2016 15:30:04 -0700
- To: Kevin Marks <kevinmarks@gmail.com>
- Cc: ietf-http-wg@w3.org
Yes. I was thinking of combining this with the JOSE specs so signing becomes possible. Phil > On Jul 9, 2016, at 2:51 PM, Kevin Marks <kevinmarks@gmail.com> wrote: > >> On Fri, Jul 8, 2016 at 11:44 AM, Phil Hunt <phil.hunt@oracle.com> wrote: >> Not sure if this has been discussed. One of the biggest problems with HTTP >> request signing has been repeat headers. It presents problem of detecting >> which headers are intended and which header was signed first. >> >> It would be nice if the JSON encoding handled arrays so that the demand for >> duplicate headers is removed. Signing could then be more successful and >> could even stipulate that the presence of a repeat header in a signed >> request is a failure condition. > > JSON doesn't help with this, as key order in objects (as opposed to > lists) is not required or defined. > Different programming languages behave differently here when > iterating. PHP preserves definition order, python orders by hash of > the key, and Go randomises the order (to prevent accidental > dependencies). > Parsing JSON into native form and writing it out again makes key order > indeterminate. > As http headers have order dependent behaviour, this is a problem with > replacing the key: value with JSON. >
Received on Saturday, 9 July 2016 22:30:43 UTC