W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: draft-ietf-httpbis-message-signatures, a closer look

From: Nick Harper <ietf@nharper.org>
Date: Wed, 14 Jul 2021 15:10:16 -0700
Message-ID: <CACcvr=m_mJmYtsrHF1yC=PyLA-v-VXpyH5+tO3Rv+9+TPgkdzw@mail.gmail.com>
To: Eric J Bowman <mellowmutt@zoho.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, ietf-http-wg <ietf-http-wg@w3.org>
Parameters in the URL would be covered by the @request-content content
identifier. The body of a POST request could be covered by a digest content
identifier, assuming that the request includes a Digest HTTP header.

On Wed, Jul 14, 2021 at 2:51 PM Eric J Bowman <mellowmutt@zoho.com> wrote:

> ---- On Wed, 14 Jul 2021 14:03:02 -0700 *Watson Ladd
> <watsonbladd@gmail.com <watsonbladd@gmail.com>>* wrote ----
>
>
> ...
>
> As far as I could tell post parameters are not covered by a signature,
> and thus are vulnerable to modification. Modifying posted form data
> could be very problematic. It's fine if out of scope, but feels like
> it should be included to be useful, especially given that form data
> can interact with URL query parameters.
>
>
> ...
>
> Pardon my antiquated beliefs and terminology, but...
>
> POST parameters are just an URL and it's up to Layer 7 to validate URLs.
> They're meant to be modified, some folks call it a Web API. IMO, "message
> signature" applies to a payload not an URL. Feature not bug.
>
> -Eric
>
>
>
Received on Wednesday, 14 July 2021 22:10:39 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 14 July 2021 22:10:40 UTC