W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: draft-ietf-httpbis-message-signatures, a closer look

From: Eric J Bowman <mellowmutt@zoho.com>
Date: Wed, 14 Jul 2021 14:48:25 -0700
To: "Watson Ladd" <watsonbladd@gmail.com>
Cc: "ietf-http-wg" <ietf-http-wg@w3.org>
Message-Id: <17aa6fe0ed7.e3ff86ad4147.6777546135428033104@zoho.com>
---- On Wed, 14 Jul 2021 14:03:02 -0700 Watson Ladd <mailto:watsonbladd@gmail.com> wrote ----



 ...
 
As far as I could tell post parameters are not covered by a signature, 
and thus are vulnerable to modification. Modifying posted form data 
could be very problematic. It's fine if out of scope, but feels like 
it should be included to be useful, especially given that form data 
can interact with URL query parameters. 
 



...



Pardon my antiquated beliefs and terminology, but...



POST parameters are just an URL and it's up to Layer 7 to validate URLs. They're meant to be modified, some folks call it a Web API. IMO, "message signature" applies to a payload not an URL. Feature not bug.



-Eric
Received on Wednesday, 14 July 2021 21:48:45 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 14 July 2021 21:48:46 UTC