- From: Justin Richer <jricher@mit.edu>
- Date: Thu, 29 Jul 2021 12:08:36 -0400
- To: squid3@treenet.co.nz
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <886A5D7F-0CA8-4B55-A617-893214EE6A7D@mit.edu>
Thanks for the response. Trimming this thread down as I’d like to understand more about this point: >> - When multiple values are sent, is this an AND or an OR of >> parameters? Do I have to send something that fits only one, or one for >> each, or one for all of them, or … ? > > I propose that the values are independent. So that an agent can require one signature, and offer to accept others for better cross-validation if provided. > > I can forsee some corporate/national policy requiring algorithm A which is outdated/insecure trying to operate in a world that has migrated to some better algorithm B already. Giving developers and admin the ability to say "require A, also check B” > It seems like you’re saying we should have some kind of flag that marks a given signature request set as “required”, and otherwise all elements are “OR”’d with each other. Is that it? So if I sent: Want-Signature: sig1=(a b c);alg=bad-rsa;required, sig2=(a b d);alg=other-rsa Then a responder could send back: Signature-Input: sig1=(a b c);alg=bad-rsa;key-id=legacy-key, sig3=(c d e);alg=new-fancy-ec And that would be acceptable. But if it sent back: Signature-Input: sig2=(a b d);alg=other-rsa;key-id=legacy-key, sig3=(c d e);alg=new-fancy-ec This would be not acceptable because it’s missing the “required” input even though it covers the other signature in the request. Both of them add their own separate non-specified signature and that’s fine. Am I reading this right? Along these lines, whether or not I’m understanding this suggestion, could you please give a couple examples of the kind of syntax you’d expect to see for this, with your ideas on how they’d be interpreted? — Justin
Received on Thursday, 29 July 2021 16:09:03 UTC