- From: Roberto Polli <robipolli@gmail.com>
- Date: Fri, 22 Nov 2019 15:38:11 +0100
- To: "Richard Backman, Annabelle" <richanna@amazon.com>
- Cc: Rob Sayre <sayrer@gmail.com>, Liam Dennehy <liam@wiemax.net>, HTTP Working Group <ietf-http-wg@w3.org>
Il giorno ven 22 nov 2019 alle ore 14:56 Richard Backman, Annabelle <richanna@amazon.com> ha scritto: > > > Agree, though AWS4 serialization could avoid specifying payload serialization and delegate it to Digest... > I'm looking forward to discussing how we should approach this in the working group. > I think there's work to be done on message body signing, particularly for streaming. > Neither stock SigV4 nor cavage (IIUC) handles that particularly well. During last httpwg there was a discussion about sending multiple trailers. That could be of some interest there: WDYT? > > My experience with pre-11 draft-cavage resulted in insecure implementations due to under-specification about which fields to sign. > From what I could tell, even on the thread you linked there was disagreement > over whether Date and Expires should be included. > __ Date is tricky because signature creation time seems obviously important > but the signer may not have access to the value of that header. Agree! > SigV4 and cavage work around this by providing alternate ways > of specifying the creation time (X-Amz-Date, the "created" parameter). Yes, I proposed to use `created` and `expires` to avoid that the signature had to rely such headers. So while I thought that those information should be provided by the spec, I advocated not being prescriptive about the `Date` header. > My inclination is that the core singing spec should be > as non-prescriptive as possible, but it could offer guidance to profilers. If you mean that the specification should contain all the required informations without prescribing the headers to be signed then it's ok :) My 2ยข, R.
Received on Friday, 22 November 2019 14:38:25 UTC